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Abstract 

Model checking is a promising technology, which has been applied for verification of 
many hardware and software systems. In this paper, we introduce the concept of model up- 
date towards the development of an automatic system modification tool that extends model 
checking functions. We define primitive update operations on the models of Computation 
Tree Logic (CTL) and formalize the principle of minimal change for CTL model update. 
These primitive update operations, together with the underlying minimal change princi- 
ple, serve as the foundation for CTL model update. Essential semantic and computational 
characterizations are provided for our CTL model update approach. We then describe a 
formal algorithm that implements this approach. We also illustrate two case studies of CTL 
model updates for the well-known microwave oven example and the Andrew File System 1, 
from which we further propose a method to optimize the update results in complex system 
modifications. 
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1. Introduction 

Model checking is one of the most effective technologies for automatic system verifications. 
In the model checking approach, the system behaviours are modeled by a Kripke structure, 
and specification properties that we require the system to meet are expressed as formulas 
in a propositional temporal logic, e.g., CTL. Then the model checker, e.g., SMV, takes the 
Kripke model and a formula as input, and verifies whether the formula is satisfied by the 
Kripke model. If the formula is not satisfied in the Kripke model, the system will report 
errors, and possibly provides useful information (e.g., counterexamples). 

Over the past decade, the model checking technology has been considerably developed, 
and many effective model checking tools have been demonstrated through provision of thor- 
ough automatic error diagnosis in complex designs e.g., (Amla, Du, Kuehlmann, Kurshan, 
& McMillan, 2005; Berard, Bidoit, Finkel, Laroussinie, Petit, Petrucci, & Schnoebelen, 
2001; Boyer & Sighireanu, 2003; Chauhan, Clarke, Kukula, Sapra, Veith, & Wang, 2002; 
Wing &: Vaziri-Farahani, 1995). Some current state-of-the-art model checkers, such as 
SMV (Clarke, Grumberg, & Peled, 1999), NuSMV (Cimatti, Clarke, GiunchigHa, & Roveri, 
1999) and Cadence SMV (McMillan & Amla, 2002), employ SMV specification language for 
both Computational Tree Logic (CTL) and Linear Temporal Logic (LTL) variants (Clarke 
et ah, 1999; Huth & Ryan, 2004). Other model checkers, such as SPIN (Holzmann, 2003), 
use Promela specification language for on-the-fly LTL model checking. Additionally, the 
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MCK (Gammie &: van der Meyden, 2004) model checker was developed by integrating 
a knowledge operator into CTL model checking to verify knowledge-related properties of 
security protocols. 

Although model checking approaches have been used for verification of problems in large 
complex systems, one major limitation of these approaches is that they can only verify the 
correctness of a system specification. In other words, if errors are identified in a system 
specification by model checking, the task of correcting the system is completely left to the 
system designers. That is, model checking is generally used only to verify the correctness of 
a system, not to modify it. Although the idea of repair has been indeed proposed for model- 
based diagnosis, repairing a system is only possible for specific cases (Dennis, Monroy, & 
Nogueira, 2006; Stumptner & Wotawa, 1996). 

1.1 Motivation 

Since model checking can handle complex system verification problems and as it may be 
implemented via fast algorithms, it is quite natural to consider whether we can develop 
associated algorithms so that they can handle system modification as well. The idea of 
integrating model checking and automatic modification has been investigated in recent 
years. Buccafurri, Eiter, Gottlob, and Leone (1999) have proposed an approach whereby 
AI techniques are combined with model checking such that the enhanced algorithm can not 
only identify errors for a concurrent system, but also provide possible modifications for the 
system. 

In the above approach, a system is described as a Kripke structure M, and a modification 
r for M is a set of state transitions that may be added to or removed from M. If a CTL 
formula tp is not satisfied in M i.e., the system contains errors with respect to property tp, 
then M will be repaired by adding new state transitions or removing existing ones specified 
in r. As a result, the new Kripke structure M' will then satisfy formula (p. The approach 
of Buccafurri et al. (1999) integrates model checking and abductive theory revision to 
perform system repairs. They also demonstrate how their approach can be applied to 
repair concurrent programs. 

It has been observed that this type of system repair is quite restricted, as only relation 
elements (i.e., state transitions) in a Kripke model can be changed^. This implies that errors 
can only be fixed by changing system behaviors. In fact, as we will show in this paper, 
allowing change to both states and relation elements in a Kripke structure significantly 
enhances the system repair process in most situations. Also, since providing all admissible 
modifications (i.e., the set T) is a pre-condition of any repair, the approach of Buccafurri 
et al. lacks flexibility. Indeed, as stated by the authors themselves, their approach may not 
be general enough for other system modifications. 

On the other hand, knowledge-base update has been the subject of extensive study in 
the AI community since the late 1980s. Winslett's Possible Model Approach (PMA) is 
viewed as pioneering work towards a model-based minimal change approach for knowledge- 
base update (Winslett, 1988). Many researchers have since proposed different approaches 
to knowledge system update (e.g., see references from Eiter & Gottlob, 1992; Herzig & 

1. NB: No state changes occur in the specified system repairs (see Definitions 3.2 and 3.3 in Buccafurri 
et al, 1999). 
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Rifi, 1999). Of these works, Harris and Ryan (2002, 2003) considered using an update 
approach for system modification, where they designed update operations to tackle feature 
integration, performing theory change and behef revision. However, their study focused 
mainly on the theoretical properties of system update, and practical implementation of 
their approach in system modification remains unclear. 

Baral and Zhang (2005) recently developed a formal approach to knowledge update 
based on single-agent S5 Kripke structures observing that system modification is closely 
related to knowledge update. From the knowledge dynamics perspective, we can view the 
finite transition system, which represents a real time complex system, to be a model of a 
knowledge set (i.e., a Kripke model). Thus the problem of system modification is reduced 
to the problem of updating this model so that a new updated model satisfies the knowledge 
formula. 

This observation motivated the initial development of a general approach to updating 
Kripke models, which can be integrated into model checking technology, towards a more 
general automatic system modification. Ding and Zhang's work (2005) may be viewed as the 
first attempt to apply this idea to LTL model update. The LTL model update modifies the 
existing LTL model of an abstracted system to automatically correct the errors occurring 
within this model. 

Based on the investigation described above, we intend to integrate knowledge update 
and CTL model checking to develop a practical model updater, which represents a general 
method for automatic system repairs. 

1.2 Contributions of This Paper 

The overall aim of our work is to design a model updater that improves model checking 
function by adding error repair (see schematic in Figure 1). The outcome from the updater 
is a corrected Kripke model. The model updater's function is to automatically correct 
errors reported (possibly as counterexamples) by a model checking compiler. Eventually, 
the model updater is intended to be a universal compiler that can be used in certain common 
situations for model error detection and correction. 




k 




Figure 1: CTL model update. 



The main contributions of this paper are described as follows: 
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1. We propose a formal framework for CTL model update. Firstly, we define primi- 
tive CTL model update operations and, based on these operations, specify a minimal 
change principle for the CTL model update. We then study the relationship between 
the proposed CTL model update and traditional propositional belief update. Interest- 
ingly, we prove that our CTL model update obeys all Katsuno and Mendelzon update 
postulates (Ul) - (U8). We further provide important characterizations for special 
CTL model update formulas such as EX(/>, AG(/> and EGfj). These characterizations 
play an important role in optimization of the update procedure. Finally, we study the 
computational properties of CTL model update and show that, in general, the model 
checking problem for CTL model update is co-NP-complete. We also classify a useful 
subclass of CTL model update problems that can be performed in polynomial time. 

2. We develop a formal algorithm for CTL model update. In principle, our algorithm 
can perform an update on a given CTL Kripke model with an arbitrary satisfiable 
CTL formula and generate a model that satisfies the input formula and has a minimal 
change with respect to the original model. The model then can be viewed as a possible 
correction on the original system specification. Based on this algorithm, we implement 
a system prototype of CTL model updater in C code in Linux. 

3. We demonstrate important applications of our CTL model update approach by two 
case studies of the well-known microwave oven example (Clarke et al., 1999) and 
the Andrew File System 1 (Wing &; Vaziri-Farahani, 1995). Through these case 
studies, we further propose a new update principle of minimal change with maximal 
reachable states, which can significantly improve the update results in complex system 
modification scenarios. 

In summary, our work presented in this paper is an initial step towards the formal study 

of the automatic system modification. This approach may be integrated into existing model 
checkers so that we may develop a unified methodology and system for model checking 
and model correction. In this sense, our work will enhance the current model checking 
technology. Some results presented in this paper were published in ECAI 2006 (Ding & 
Zhang, 2006). 

The rest of the paper is organized as follows. An overview of CTL syntax and seman- 
tics is provided in Section 2.1. Primitive update operations on CTL models are defined 
in Section 3, and a minimal change principle for CTL model update is then developed. 
Section 4 consists of a study of the relationship between CTL model update and Katsuno 
and Mendelzon's update postulates (Ul) - (U8), and various characterizations for some spe- 
cial CTL model updates. In Section 5, a general computational complexity result of CTL 
model update is proved, and a useful tractable subclass of CTL model update problems is 
identified. A formal algorithm for the proposed CTL model update approach is described 
in Section 6. In Section 7, two update case studies are illustrated to demonstrate appli- 
cations of our CTL model update approach. Section 8 proposes an improved CTL model 
update approach which can significantly optimize the update results in complex system 
modification scenarios. Finally, the paper concludes with some future work discussions in 
Section 9. 
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2. Preliminaries 

In this section, we briefly review the syntax and semantics of Computation Tree Logic and 
basic concepts of belief update, which are the foundation for our CTL model update. 

2.1 CTL Syntax and Semantics 

To begin with, we briefly review CTL syntax and semantics (refer to Clarke et al., 1999 and 
Huth & Ryan, 2004 for details). 

Definition 1 Let AP be a set of atomic propositions. A Kripke model M over AP is a 
triple M = {S, R, L) where: 

1. S is a finite set of states; 

2. R <^ S X S is a binary relation representing state transitions; 

3. L : S ^ 2^^ is a labeling function that assigns each state with a set of atomic 
propositions. 

An example of a flnitc Kripke model is represented by the graph in Figure 2, where 
each node represents a state in S, which is attached to a set of propositional atoms being 
assigned by the labeling function, and an edge represents a state transition - a relation 
element in R describing a system transition from one state to another. 




Figure 2: Transition state graph. 



Computation Tree Logic (CTL) is a temporal logic allowing us to refer to the future. 

It is also a branching-time logic, meaning that its model of time is a tree-like structure in 
which the future is not determined but consists of different paths, any one of which might 
be the 'actual' path that is eventually realized (Huth & Ryan, 2004). 

Definition 2 CTL has the following syntax given in Backus-Naur form: 

(f) ::= T |±| p I (^(/>) I {(1)1 A (j)2) | ((/)i V (?!>2) | ^ ^ | AXcj) \ EXcf) 
I AG^ I EG0 I AF0 I EF4> \ A[(?!)iU02] | E[0iU02] 

where p is any propositional atom. 
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A CTL formula is evaluated on a Kripke model. A path in a Kripke model from a state 
is a(n) (infinite) sequence of states. Note that for a given path, the same state may occur 
an infinite number of times in the path (i.e., the path contains a loop). To simplify our 
following discussions, we may identify states in a path with different position subscripts, 
although states occurring in different positions in the path may be the same. In this way, 
we can say that one state precedes another in a path without much confusion. Now we can 
present useful notions in a formal way. Let M = {S, R, L) be a Kripke model and s E S. A 
path in M starting from s is denoted as vr = [sq, si, • • • , Sj, Sj+i, • • •], where sq = s and 
(sj, Sj+i) G R holds for all i > 0. We write Sj G vr if Sj is a state occurring in the path tt. 
If a path TT = [so, si, ■ ■ ■ , Si, ■ ■ ■ , Sj, ■ ■ ■] and i < j, we also denote Sj < Sj. Furthermore for 
a given path tt, we use notion s < Sj to denote a state s that is the state Sj or s < Sj. For 
simplicity, we may use succ{s) to denote state s' if there is a relation element (s, s') in R. 



Definition 3 Let M = (S, R, L) be a Kripke model for CTL. Given any s in S, we define 

whether a CTL formula (j) holds in M at state s. We denote this by (M, s) |= (j). The 
satisfaction relation \= is defined by structural induction on all CTL formulas: 



1. 


(M, s] 


\= T and (M, s) ^± for all seS. 










2. 


(M, s] 


\=piffpeL{s). 










3. 


{M,s 


h -0 iff (M, s) ^ 4>. 










I 


(M, s] 


H A <^2 iff (M, s) H 01 and (M, s) \= (1)2. 










5. 


(M, s] 


\=4>iyh iff (M, s) h ct>i or (M, s) ^ -^2. 










6. 


(M, s] 


\=(l>i^(t>2 iff (M, s) \= -01, or (M, s) H 02. 










7. 


{M,s 


1= AX(j) iff for all si such that {s,si) € R, (M, si) \= cj). 








8. 


{M,s] 


\= EX(p iff for some si such that (s,si) G R, 


{M,si) \= 


0. 






9. 


{M,s 
(M, s, 


\= AG0 iff for all paths tt = [so, ^i, ^2, • • •] 

)H0- 


where sq 


= s and Vsj, Sj 


G 




10. 


(M,s 
(M, s^ 


\= EG(f) iff there is a path tt = [sq, si, S2, ■ ■ 

)H0- 


] where sq 


= s and Vsj, Sj 


G 




11. 


{M,s 
(M, 


\= AF0 iff for all paths tt = [so, ^i, ^2, • ' '] 

)H0- 


where sq 


= s and Si 


G 




12. 


(M,s 
(M, s, 


1= EF0 iff there is a path tt = [sq, si, S2, • • • 

)H0- 


] where sq 


= s and 3s j, Si 


G 




13. 


{M,s 
(p2 an 


\= A[(/)iU02] «#/or aZZ paths tt = [sq, si, S2, • • • 
d for each j < i, (M, Sj) \= 0i. 


where sq = 


= s, 3sj G TT, (M, 




14. 


{M,s 


1= E[0iU02] iff there is a path it = [sq,si 


S2,-"] where sq = s, 3sj 


G 





M, Si) \= 02 arici /or each j < i, (M, Sj) \= 0i. 
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From the above definition, we can see that the intuitive meaning of A, E, X, and G are 
quite clear: A means for all paths, E means that there exists a path, X refers to the next 
state and G means for all states globally. Then the semantics of a CTL formula is easy to 
capture as follows. 

In the first six clauses, the truth value of the formula in the state depends on the truth 
value of 4>i or 4>2 in the same state. For example, the truth value of -xf) in a state only 
depends on the truth value of (p in the same state. This contrasts with clauses 7 and 8 for 
AX and EX. For instance, the truth value of AX(p in a state s is determined not by (p^s 
truth value in s, but by ^'s truth values in states s' where (s, s') € R; if (s, s) G R, then 
this value also depends on the truth value of (f) in s. 

The next four clauses (9 - 12) also exhibit this phenomenon. For example, the truth value 
of AG(j) involves looking at the truth value of (p not only in the immediately related states, 
but in indirectly related states as well. In the case of AG^, we must examine the truth value 
of (p in every state related by any number of forward links (paths) to the current state s. In 
clauses 13 and 14, symbol U may be explained as "until": a path tt = [sq, si, S2, • • •] satisfies 
(pi\J(p2 if there is a state Si & n such that for all s < Si, {M, s) \= (pi until {M, Si) \= (p2- 

Clauses 9-14 above refer to computation paths in models. It is, therefore, useful to 
visualize all possible computation paths from a given state s by unwinding the transition 
system to obtain an infinite computation tree. This greatly facilitates deciding whether a 
state satisfies a CTL formula. The unwound tree of the graph in Figure 2 is depicted in 
Figure 3 (note that we assume sq is the initial state in this Kripke model). 




In Figure 3, if = r, then AXr is true; if = g, then EXq' is true. In the same figure, 
if (/) = r, then AFr is true because some states on all paths will satisfy r some time in the 
future, li (p = q, EFg is true because some states on some paths will satisfy q some time 
in the future. The clauses for AG and EG can be explained in Figure 4. In this tree, all 
states satisfy r. Thus, AGr is true in this Kripke model. There is one path where all states 
satisfy (p = q. Thus, EGq is true in this Kripke model. 
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The following De Morgan rules and equivalences (Huth & Ryan, 2004) will be useful for 
our CTL model update algorithm implementation: 









= AG^cj); 




= EX^(j); 


AFcp = 


A[TU(/>]; 


EFcp = 


E[TU(^]; 



A[0iU02] = -(Eh02U(-</.i A 02)] V EG-./.2). 

In the rest of this paper, without explicit declaration, we will assume that all CTL 
formulas occurring in our context will be satisfiable. For instance, if we consider updating 
a Kripke model to satisfy a CTL formula (p, we already assume that (p is satisfiable. 

From Definition 3, we can see that for a given CTL Kripke model M = {S,R,L), if 
(M, s) \= (j) and (j) is a propositional formula, then 0's truth value solely depends on the 
labeling function L's assignment on state s. In this case we may simply write L{s) \= (p if 
there is no confusion from the context. 

2.2 Belief Update 

Belief change has been a primary research topic in the AI community for almost two decades 
e.g., (Gardenfors, 1988; Winslett, 1990). Basically, it studies the problem of how an agent 
can change its beliefs when it wants to bring new beliefs into its belief set. There are two 
types of belief changes, namely belief revision and belief update. Intuitively, belief revision 
is used to modify a belief set in order to accept new information about the static world. 



120 



CTL Model Update for System Modifications 



while belief update is to bring the belief set up to date when the world is described by its 
changes. 

Katsuno and Mendelzon (1991) have discovered that the original AGM revision postu- 
lates cannot precisely characterize the feature of belief update. They proposed the following 
alternative update postulates, and argued that any propositional belief update operators 
should satisfy these postulates. In the following (Ul) - (U8) postulates, all occurrences of 
r, /X, a, etc. are propositional formulas. 

(Ul) Tofi^ 

(U2) If T ^ ^ then Tofi = T. 

(U3) If both T and fi are satisfiable then T o fi is also satisfiable. 

(U4) If Ti = T2 and /xi = /i2 then T o //i = T2 o fj,2- 

(U5) (To^) Aa ^ro(^Aa). 

(U6) If To^i \= andTo^2 N ^1 thenTo/zi =Ton2- 

(U7) If T is complete (i.e., has a unique model) then 

{T o iJi) A {T o fi2) hTo(^i VM2). 

(U8) (Ti vr2)^;u= (Tio^) V(r2 0/i). 

As shown by Katsuno and Mendelzon (1991), postulates (Ul) - (U8) precisely capture 
the minimal change criterion for update that is defined based on certain partial ordering 
on models. As a typical model based belief update approach, here we briefly introduce 
Winslett's Possible Models Approach (PMA) (Winslett, 1990). We consider a proposi- 
tional language £. Let Ii and I2 be two Herband interpretations of C. The symmetric 
difference between Ii and I2 is defined as diff(Ii,l2) = {h — h) U {h — h)- Then for a 
given interpretation /, we define a partial ordering </ as follows: Ii <i I2 if and only if 
dif f{I , Ii) C dif f{1 , 12)- Let X be a collection of interpretations, we denote Min{I,<M) 
to be the set of all minimal models from I with respect to ordering <m, where model M 
is fixed. Now let and /U be two propositional formulas, the update of (f) with using the 
PMA, denoted as Opma 

II, is defined as follows: 

Mod{(t)Opma ^) = \JMeMod{<p) Min{Mod{fi), <m), 

where Mod{'4)) denotes the set of all models of formula ip. It can be proved that the PMA 
update operator Opma satisfies all postulates (Ul) - (US). 

Our work of CTL model update has a close connection to the idea of belief update. As 
will be shown in this paper, in our approach, we view a CTL Kripke model as a description of 
the world that we are interested in, i.e., the description of a system of dynamic behaviours, 
and the update on this Kripke model occurs when the setting of the system of dynamic 
behaviours has to change to accommodate some desired properties. Although there is 
a significant difference between classical propositional belief update and our CTL model 
update, we will show that Katsuno Mendelzon's update postulates (Ul) - (US) are also 
suitable to characterize the minimal change principle for our CTL model update. 

3. Minimal Change for CTL Model Update 

We would like to extend the idea of minimal change in belief update to our CTL model 
update. In principle, when we need to update a CTL Kripke model to satisfy a CTL formula. 
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we expect the updated model to retain as much information as possible represented in the 
original model. In other words, we prefer to change the model in a minimal way to achieve 
our goal. In this section, we will propose formal metrics of minimal change for CTL model 
update. 

3.1 Primitive Update Operations 

Given a CTL Kripke model and a (satisfiable) CTL formula, we consider how this model 
can be updated in order to satisfy the given formula. Prom the discussion in the previous 

section, we try to incorporate a minimal change principle into our update approach. As the 
first step towards this aim, wc should have a way to measure the difference between two 
CTL Kripke models in relation to a given model. We first illustrate our initial consideration 
of this aspect through an example. 

Example 1 Consider a simple CTL model M = ({sq, si, S2}, {(sq, sq), (so,si), (59,52), 
(si,si), (s2,S2), (s2,si)},L), where L{sq) = {p,q},L{si) = {q,r} and L(s2) = {r}. M is 
described as in Figure 5. 



si 




Figure 5: Model M. 



Now consider formula AGp. Clearly, (M, sq) ^ AGp. One way to update M to satisfy 
AGp is to update states si and S2 so that both updated states satisfy p^. Therefore, 
we obtain a new CTL model M' = {{sq, si, S2}, {{sq, sq), {sq, si), (sq, S2), {82,82), 
(s2,si)}, L'), where L'{so) = L{so) = {p,q},L'{si) = {p,q,r} and L'{s2) = {p,r}. In this 
update, we can see that the labeling function has been changed to associate different truth 
assignments with states si and 82- Another way to update M to satisfy formula AGp is to 
simply remove relation elements (.soj^i) and (80,82) from M, this gives (M",so) |= A.Gp, 
where M" = ({sq, si, 82}, {(sO) so), (si, si), {82, 82), {82, si)}, L). This more closely resembles 
the approach of Buccafurri et al. (Buccafurri et al., 1999), where no state changes occur. 
It is interesting to note that the first of the updated models retains the same "structure" 
as the original, while it is significantly changed in the second. These two possible results 
are described in Figure 6. □ 



2. Precisely, we update the labeling function L that changes the truth assignments to si and S2- 
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si s2 si s2 



Figure 6: Two possible results of updating M with AGp. 



The above example shows that in order to update a CTL model to satisfy a formula, we 
may apply different kinds of operations to change the model. From all possible operations 
applicable to a CTL model, we consider five basic ones where all changes on a CTL model 
can be achieved. 

PUl: Adding one relation element 

Given M = {S,R,L), its updated model M' = {S',R',L') is obtained from M by adding 
only one new relation element. That is, S' = S, L' = L, and R' = RU {{si,Sj)}, where 
(sj, Sj) ^ R for two states Sj, sj G S. 

PU2: Removing one relation element 

Given M = (S, R, L), its updated model M' = (5", R', L') is obtained from M by removing 
only one existing relation element. That is, >S" = S, L' = L, and R' = R — {{si, Sj)}, where 
{si, Sj) E R for two states Si, Sj G S. 

PUS: Changing labeling function on one state 

Given M = {S, R, L), its updated model M' = (S", R', V) is obtained from M by changing 
labeling function on a particular state. That is, S' = S, R' = R, Vs € (5" — {s*}), s* G S, 
L'{s) = L{s), and L'{s*) is a set of true variable assigned in state s* where L'{s*) / L{s*). 

PU4: Adding one state 

Given M = {S,R,L), its updated model M' = {S',R',L') is obtained from M by adding 
only one new state. That is, S' = S U {s*}, s* ^ S, R' = R, and Vs G S, L'{s) = L(s) and 
L\s*) is a set of true variables assigned in s*. 

PUS: Removing one isolated state 

Given M = [S, R, L), its updated model M' = {S', R' , L') is obtained from M by removing 
only one isolated state: S' = S — {s*}, where s* G and £ S such that s ^ s*, neither 
{s,s*) nor (s*,s) is not in R, R' = R, and Vs G S', L'{s) = L{s). 

We call the above five operations primitive since they express all kinds of changes to a 
CTL model. Figure 7 illustrates examples of applying some of these operations on a model. 

In the above five operations, PUl, PU2, PU4 and PU5 represent the most basic oper- 
ations on a graph. Generally, using these four operations, we can perform any changes to 
a CTL model. For instance, if we want to substitute a state in a CTL model, we do the 
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following: (1) remove all relation elements associated to this state, (2) remove this isolated 
states, (3) add a state that we want to replace the original one, and (4) add all relevant 
relation elements associated to this new state. 

Although these four operations are sufficient enough to represent all changes on a CTL 
model, they sometimes complicate the measure on the changes of CTL models. Consider 
the case of a state substitution. Given a CTL model M, if one CTL model M' has exactly 
the same graphical structure as M except that M' only has one particular state different 
from M, then we tend to think that M' is obtained from M with a single change of state 
replacement, instead of from a sequence of operations PUl, PU2, PU4 and PUS. 

This motivates us to have operation PUS. PUS has an effect of state substitution, but it 
is fundamentally different from the combination of PUl, PU2, PU4 and PUS, because PUS 
does not change the state name and relation elements in the original model, it only assigns 
a different set of propositional atoms to that state in the original model. In this sense, 
the combination of PUl, PU2, PU4 and PUS cannot replace operation PUS. Using PUS 
to represent state substitution significantly simplifies our measure on the model difference 
as will be illustrated in Definition 4. In the rest of the paper, we assume that all state 
substitutions in a CTL model will be achieved through PUS so that we have a unique way 
to measure the differences on CTL model changes in relation to states substitutions. 

We should also note that having operation PUS as a way to substitute a state in a CTL 
model, PUS becomes unnecessary, because we actually do not need to remove an isolated 
state from a model. All we need is to remove relevant relation element (s) in the model, 
so that this state becomes unreachable from the initial state. Nevertheless, to remain our 
discussions to be coherent with all primitive operations described above, in the following 
definition on the CTL minimal change, we still consider the measure on changes caused by 
applying PUS in a CTL model update. 




After PU2, PU2, PU5, PU4, 
After PU2 is applied to M. pyj ^^e applied to M. 

Figure 7: Illustration of primitive updates. 



3.2 Defining Minimal Change 

Following traditional belief update principle, in order to make a CTL model to satisfy some 
property, we would expect that the given CTL model is changed as little as possible. By 
using primitive update operations, a CTL Kripke model may be updated in different ways: 
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adding or removing state transitions, adding new states, and changing the labehng function 
for some state(s) in the model. Therefore, we first need to have a method to measure the 
changes of CTL models, from which we can develop a minimal change criterion for CTL 
model update. 

Given two CTL models M = {S,R,L) and M' = (S',R',L'), for each operation PUi 
{i = 1, • • • ,5), Diffpm{M,M') denotes the differences between the two models where M' 
is an updated model from M, which makes clear that several operations of type PUi have 
occurred. Since PUI and PU2 only change relation elements, we define Diff pjji(M, M') = 
R' — R (adding relation elements only) and Diff pu2{M,M') = R — R' (removing rela- 
tion elements only). For operation PUS, since only labeling function is changed, the dif- 
ference measure between M and M' for PUS is defined as Diff pi!'z.[M,M') = {s | s G 
5 n S" and L{s) ^ L'(s)}. For operations PU4 and PU5, on the other hand, we define 
Diffpu^{M, M') = S' -S (adding states) and Diffpu^(M, M') = S - S' (removing states). 
Let M. = {M,s) and M' = {M',s'), for convenience, we also denote Diff{M,M') = 
{DiffpuiiM, M'), Diffpu2{M, M'), DiffpusiM, M'), Dtffpu^{M, M'), Dzjfpu,{M, M')). 

It is worth mentioning that given two CTL Kripke models M and M', there is no 
ambiguity to compute Diff pu^{M, M') (i = 1, • • • , 5), because each primitive operation will 
only cause one type of changes (states, relation elements, or labeling function) in the models 
no matter how many times it has been applied. Now we can precisely define the ordering 
<M on CTL models. 

Definition 4 ('Closeness ordering^ Let M , Mi and M2 be three CTL Kripke models. 
We say that Mi is at least as close to M as M2, denoted as Mi <m M2, if and only if for 
each set of PU1-PU5 operations that transform M to M2, there exists a set of PU1-PU5 
operations that transform M to Mi such that the following conditions hold: 

(1) for each i (i = 1,- ■ ■ ,5), Diffp^AM, Mi) C Diffpu^M, M2), and 

(2) ifDtfJpus{M,Mi) = Diffpu^{M,M2), then for each s G Diff pjj^{M , Mi) , 
diff{L{s),Li{s)) C diffiL{s),L2{s)). 

We denote Mi <m M2 if Mi <m M2 and M2 Mi. 

Definition 4 presents a measure on the difference between two models with respect to 
a given model. Intuitively, we say that model Mi is closer to M relative to model M2, if 
(1) Ml is obtained from M by applying all primitive update operations that cause fewer 
changes than those applied to obtain model M2; and (2) if the set of states in Mi affected 
by applying PUS is the same as that in M2, then we take a closer look at the difference 
on the set of propositional atoms associated with the relevant states. Having the ordering 
specified in Definition 4, we can define a CTL model update formally. 

Definition 5 (Admissible update^ Given a CTL Kripke model M = {S,R,L), A4 = 

(M, So) where sq G S, and a CTL formula (j), a CTL Kripke model Update{Ai,(f>) is called 
an admissible model (or admissible updated model) if the following conditions hold: (1) 
Update{M,(p) = {M',s'q), (M',s'o) |= cj), where M' = {S',R',L') and s'q G S' ; and, (2) there 
does not exist another updated model M" = {S", R", L") and Sq G S" such that {M", Sq) \= (j) 
and M" <m M' . We use Poss{Update{M,(l))) to denote the set of all possible admissible 
models of updating M to satisfy (j). 
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Example 2 In Figure 8, model M is updated in two different ways. Model Mi is the result 
of updating M by applying PUl. Model M2 is another update of M resulting by applying 
PUl, PU2 and PU5. Then we have Diffpui{M,Mi) = {(s^ss)}, and Diffpui{M,M2) = 
{("51, So)) (•S05"52)}, which results in Diff piji{M, Mi) C Diff' piji{M, M2)- Also, it is easy to 
see that Diffpu2{M, Mi) = and Diffpu2{M, M2) = {(53, sq), (s2, S3)}, so Diffpu2{M, Mi) 
C Diffpu2{M,M2). Similarly, we can see that Diff pjj^{M , M^) = Diff pjj^{M , M2) = 0, 
and Diffpjji{M,Mi) = Diffpu^{M,M2) = 0. Finally, we have Diff pjj^{M , Mi) = and 
Diffpu^{M,M2) = {S3}. According to Definition 4, we have Mi <m M2. □ 




Figure 8: Illustration of minimal change rules. 

We should note that in a CTL model update, if we can simply replace the initial state 
by another existing state in the model to satisfy the formula, then this model actually has 
not been changed, and it is the unique admissible model according to Definition 5. In this 
case, all other updates will be ruled out by Definition 5. For example, consider the CTL 
model M described in Figure 9: If we want to update (M, so) with AXp, we can see that 




Figure 9: A special model update scenario. 

(M, si) becomes the only admissible updated model according to our definition: we simply 
replace the initial state sq by si. Nevertheless, we would expect that some other update 
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may also be equally reasonable. For instance, we may change the labeling function of M 
to make L'{si) = {p}. In both updates, we have changed something in M, but the change 
caused by the first update is not represented in our minimal change definition. 

We can overcome this difficulty by creating a dummy state into a CTL Kripke model M, 
and for each initial state s in M, we add relation element ((j, s) into M. In this way, a change 
of initial state from s to s' will imply a removal of relation element (U, s) and an addition 
of a new relation clement (t],s')- Such changes will be measured by our minimal change 
definition. With this treatment, both updated models described above are admissible. In 
the rest of the paper, without explicit declaration, we will assume that each CTL Kripke 
model contains a dummy state jj and special state transitions from (J to all initial states. 

4. Semantic Properties 

In this section, we first explore the relationship between our CTL model update and tra- 
ditional belief update, and then provide useful semantic characterizations on some typical 
CTL model update cases. 

4.1 Relationship to Prepositional Belief Update 

First we show the following result about ordering <m defined in Definition 4. 
Proposition 1 <m is a partial ordering. 

Proof: From Definition 4, it is easy to see that <m is reflexive and antisymmetric. Now 
we show that <m is also transitive. Suppose Mi <m M2 and M2 <m M^. Accord- 
ing to Definition 4, we have Dif fpui{M,Mi) C Dif fpui^M, M2), and Dif fpui{M, M2) C 
DiffpuiiM, Ms) {i = !,■■■, 5). Consequently, we have Diffpui{M, Mi) C Diffpm{M, M3) 
(i = 1, • • • , 5). So Condition 1 in Definition 4 holds. Now consider Condition 2 in the def- 
inition. The only case we need to consider is that Dif fpij^{M,Mi) = Dif fpusiM, M2) 
and Dif Jpu2,{M,M2) = Dif fpu^^M^M^) (note that all other cases will directly imply 
Diffpu3{M,Mi) C Diffpu3{M,Ms) and Dif fpusiM, Mi) 7^ Dif fpusiM, M^)). In this 
case, it is obvious that for all s G Dif fpusiM, Mi) = Dif fpusiM, M3), dif f{L{s), Li{s)) C 
diff{L{s),L3{s)). So we have Mi <m M3. □ 

It is also interesting to consider a special case of our CTL model update where the update 
formula is a classical propositional formula. The following proposition indicates that when 
only propositional formula is considered in CTL model update, the admissible model can 
be obtained through the traditional model based belief update approach (Winslett, 1988). 

Proposition 2 Let M = {S,R,L) be a CTL model and sq € S. Suppose that cj) is a 
satisfiable propositional formula and (M, sq) ^ (p, then an admissible model of updating 
(M, So) to satisfy 4> is {M',so), where M' = {S,R,L'), for each s G (S'-{so}), L'{s) = L{s), 
L'(so) \= 4>, and there does not exist another M" = {S,R,L") such that L"(so) \= (f) and 
diffiL{so),L"{so)) C diff{Liso),L'{so)). 

Proof: Since ^ is a propositional formula, the update on (M, sq) to satisfy cf) will not affect 
any relation elements and all other states except sq. Since L{so) ^ cf), it is obvious that 
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by applying PUS, we can change the labehng function L to L' that assigns sq a new set of 
prepositional atoms to satisfy Then from Definition 5, we can see that the model specified 
in the proposition is indeed a minimally changed CTL model with respect to ordering <m- ^ 

We can see that the problem addressed by our CTL model update is essentially different 
from the problem concerned in traditional prepositional belief update. Nevertheless, the 
idea of model based minimal change for CTL model update is closely related to belief update. 
Therefore, it is worth investigating the relationship between our CTL model update and 
traditional prepositional belief update postulates (Ul) - (U8). In order to make such a 
comparison possible, we should lift the update operator occurring in postulates (Ul) - (U8) 
beyond the prepositional logic case. 

For this purpose, we first introduce some notions. Given a CTL formula and Kripke 
model M = {S,R,L), let Init(S) C 5 be the set of all initial states in M. (M, s) is called 
a model of (f) iff (M, s) |= 0, where s G Init{S). We use Mod{4>) to denote the set of all 
models of (p. Now we specify an update operator o^. to impose on CTL formulas as follows: 
given two CTL formulas ip and 0, we define that '0 Oc to be a CTL formula whose models 
are defined as: 

Mod{ip Oc 4>) = \J{M,s)eModW Poss{Update{{M, s), 0)). 

Theorem 1 Operator Oc satisfies all Katsuno and Mendelzon update postulates (Ul) - 
(U8). 

Proof: Prom Definitions 4 and 5, it is easy to verify that Oc satisfies (U1)-(U4). We prove 

that satisfies (U5). To prove {t,ljOcfi)Aa \= i/'Oc(/iAa:), it is sufficient to prove that for each 
model (M, s) G Mod{ip), Poss{Update{{M, s), fi))nMod{a) C Poss{Update{{M,s), ^j.Aa)). 
In particular, we need to show that for any {M',s') G Poss{Update{{M, s), fi)) n Mod{a), 
{M',s') G Poss{Update{{M,s),n Aa)). Suppose {M',s') ^ Poss{Update{{M, s), fi A a)). 
Then we have (1) (M', s') ^ //Aa; or (2) there exists a different admissible model (M" , G 
Mod{p,Aa) such that M" <m M' . If it is case (1), then (M',.s') ^ Poss{Update{{M, s), fi))n 
Mod{a). So the result holds. If it is case (2), it also implies that {M",s") \= ji and 
M" <M M'. That means, (M',s') ^ Poss{Update{{M, s), fj,)). The result still holds. 

Now we prove that Oc satisfies (U6). To prove this result, it is sufficient to prove that for 
any (M, s) G Mod{tp), Poss{Update{{M, s), m)) C Mod{fi2) and Pass {Update{{M, s), fi2)) 
C Mod{fii), then Poss{Update{{M, s), fii)) = Poss{Update{{M, s), fi2))- We first prove 
Poss{Update{{M, s), m)) C Poss{Update{{M, s), ^2)). Let {M',s') G Poss{Update{{M, s), 
Hi)). Then (M',s') 1= M2- Suppose (M', s') ^ Poss{Update{{M, s), IJL2)). Then there exists a 
different admissible model (M", s") G Poss(Update{{M, s),H2)) such that M" <m M' . Also 
note that (M", s") |= /v,i. This contradicts the fact that (M', s') G Poss{Update{{M, s), /xi)). 
So we have Poss{Update{{M,s), jii)) C Poss(Update{(M, s), 112))- Similarly, we can prove 
that Poss(Update{{M,s),H2)) C Poss(Update{{M, s), fxi)). 

To prove that satisfies (U7), it is sufficient to prove that Poss(Update{{M , s) , fii)) fl 
Poss{Update{{M, s), Hi)) C Poss{Update{{M,s), hiM ii2))-, where (M, s) is the unique model 
of T (note that T is complete). Let (M', s') G Poss{Update{{M, s), iii))riPoss{Update{{M, s), 
Hi))- Suppose {M',s') Poss{Update{{M, s), Hi V ^2))- Then there exists an admissi- 
ble model {M",s") G Poss{Update{{M, s), ni V H2)) such that M" <m M'. Note that 
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{M",s") ^ AtiV//2. If (M",s") ^ jJLi, then it implies that (M',s') ^ Poss{Update{{M, s), i^i)) 
If {M",s") \= fi2, then it impUes (M',s') ^ Poss{Update{{M,s), (12))- In both cases, we 
have {M',s') ^ Poss{Update{{M,s), fxi)) D Poss(Update{{M, s), fii)). This proves the re- 
sult. 

Finally, we show that Oc satisfies (U8). From Definition 5, we have that Mod((V'i V^2)Oc 
/^) = [J(M,s)GModi^PlW^P2)Po^4Wate{{M,s),n)) = [j,^M,s)eMod(^^) Poss{Update{{M, s), fi)) 
U U(M,s)eMod(i/.2) Poss{Update{{M, s), fx)) = Mod{tpi Oc n) U Mod{tp2 Oc A*)- This completes 
our proof. □ 

From Theorem 1, it is evident that Katsuno and Mendelzon's update postulates (Ul) - 
(U8) characterize a wide range of update formulations beyond the propositional logic case, 
where model based minimal change principle is employed. In this sense, we can view that 
Katsuno and Mendelzon's update postulates (Ul) - (U8) are essential requirements for any 
model based update approaches. 

4.2 Characterizing Special CTL Model Updates 

From previous description, we observe that, for a given CTL Kripke model M and formula 
(f), there may be many admissible models satisfying 0, where some are simpler than others. 
In this section, we provide various results that present possible solutions to achieve admis- 
sible updates under certain conditions. In general, in order to achieve admissible update 
results, we may have to combine various primitive operations during an update process. 
Nevertheless, as will be shown below, a single type primitive operation will be enough to 
achieve an admissible updated model in many situations. These characterizations also play 
an essential role in simplifying CTL model update implementation. 

Firstly, the following proposition simply shows that during a CTL update only reachable 
states will be taken into account in the sense that unreachable state will never be removed 
or newly introduced. 

Proposition 3 Let M = {S,R,L) be a CTL Kripke model, sq £ S an initial state of M, (p 
a satisfiable CTL formula and (M, sq) ^ (p. Suppose (M', Sq) is an admissible model after 
updating (M, sq) with 4>, where M' = {S',R',L'). Then the following properties hold: 

1. if s is a state in M (i.e. s € S) and is not reachable from sq (i.e. there does not exist 
a path TT = [so, ■ ■ ■] in M such that s E: tt), then s must also be a state in M' (i.e. 
s G S'); 

2. if s' is a state in M' and is not reachable from s'q, then s' must also be a state in M. 

Proof: We only give the proof of result 1 since the proof for result 2 is similar. Suppose s 
is not in M'. That is, s has been removed from M during the generation of (M', s'q). From 
Definitions 4 and 5, we know that the only way to remove s from M is to apply operation 
PUS (and possibly other associated operations such as PU2 - removing transition relations, 
if s is connected to other states). 

Now we construct a new CTL Kripke model M" in such a way that M" is exactly the 
same as M' except that s is also in M" . That is, M" = {S",R",L"), where 5" = S' U {s}, 
R" = R', for all s* G S', L"{s*) = L'(s*), and L"{s) = L{s). Note that in M", state s is 
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an isolated state, not connecting to any other states. Since s is in M, from Definition 4 we 
can see that M" <m M'. Now we will show that (M", Sq) \= <p. We prove this by showing 
a bit more general result: 

Result : For any satisfiable CTL formula and any state s* e S', {M",s*) \= (j) 
iff (M',s*) ^ ^. 

This can be showed by induction on the structure of 4>- (a) Suppose </!> is a propositional 
formula. In this case, (M", s*) |= ^ iff L"{s*) ^ (p. Since L"{s*) = L'{s*), and (M', s*) \= (p 
iff L'{s*) ^ (j), we have (M", s*) ^ (/> iff (M", s*) ^ </>. (b) Assume that the result holds for 
formula (p. (c) We consider variours cases for formulas constructed from (f). (c.l) Suppose 
(f) is of the form AGct). {M\ s*) \= AGcp iff for every path from s* tt' = [s*, ■■■,], and for 
every state s' G tt' , {M\ s') |= (f). From the construction of M", it is obvious that every 
path from s* in Al' must be also a path in M" , and vice versa. Also from the induction 
assumption, we have {M',s') \= (p iS {M",s') \= (p. This follows that (M',s*) \= AGcp iff 
(M", s*) \= AG4>. Proofs for other cases such as AFcp, EG4>, etc. are similar. 

Thus, we can find another model M" such that {M",s'q) |= and M" <m M' . This 
contradicts to the fact that (M',Sq) is an admissible model from the update of (M, sq) by 
(p. □ 

Theorem 2 Let M = {S, R, L) he a Kripke model and M = (M, sq) ^ EX(/), where sq G S 
and (p is a propositional formula. Let M.' = Update {A4,EX(p) be the model obtained from 
the update of M with EX^ through the following 1 or 2, then M.' is an admissible model. 

1. PUS is applied to one succ{sq) to make L' {succ{sq)) \= (p and 

diff {L{succ{so)) , L' {succ{so))) minimal, or, PU4 and PUl are applied once succes- 
sively to add a new state s* such that L'(s*) \= (p and a new relation element (sq, s*); 

2. if there exists some Si E S such that L{si) \= (p and Si / succ{sq), PUl is applied 
once to add a new relation element {sQ,Si). 

Proof: Consider case 1 first. After PUS is applied to change the assignment on succ{sq), 
or PU4 and PUl are applied to add a new state ,s* and a relation clement (sq, s*), the new 
model M' contains a succ{sq) such that L'[succ{sq)) \= (p. Thus, M' = (M',sq) \= EX(/>. If 
PUS is applied once, then Diff{M,M') = (0, 0, {s«cc(so)}, 0, 0); if PU4 and PUl are ap- 
plied once successively, Diff{M, M') = ({(so, s*)}, 0, 0, {, s*}, 0). Thus, updates by a single 
application of PUS or applications of PU4 and PUl once successively are not compatible 
with each other. For PUS, if any other update is applied in combination, Diff(A4,Ai") will 
either be not compatible with Diff{M,M') or contain Diff{M,M') (e.g., another PUS 
together with its predecessor). A similar situation occurs with the applications of PU4 
and PUl. Thus, applying either PUS once or PU4 and PUl once successively represents 
a minimal change. For case 2, after PUl is applied to connect sq and L{si) \= cp, the new 
model M' has a successor which satisfies (f). Thus, M' = (M', sq) |= EXcp. If PUl is applied, 
Diff{M.,M') = ({(so, Si)}, 0, 0, 0, 0). Note that this case remains a minimal change of the 
relation element on the original model M. and is not compatible with case 1. Hence, case 2 



130 



CTL Model Update for System Modifications 



also represents a minimal change. □ 

Theorem 2 provides two cases where admissible CTL model update results can be 
achieved for formula EX0. It is important to note that here we restrict (/> to be a proposi- 
tional formula. The first case says that we can either select one of the successor states of 
So and change its assignment minimally to satisfy (j) (i.e., apply PUS once), or simply add 
a new state and a new relation element that satisfies (/> as a successor of .sq (i.e., apply PU4 
and PUl once successively). The second case indicates that if some state si in S already 
satisfies 0, then it is enough to simply add a new relation element (so,Si) to make it a 
successor of sq. Clearly, both cases will yield new CTL models that satisfy EX0. 

Theorem 3 Let M = {S, R, L) be a Kripke model and M = (M, sq) ^ AG0, where sq € S, 
4> is a propositional formula and sq \= (f). Let Ai' = Update {Ai, AG (f)) be a model obtained 
from the update of A4 with AG(f) through the following way, then M' is an admissible model. 
For each path starting from sq: tt = [sq, ■ ■ ■ , Si, ■ ■ ■]: 

1. if for all s < Si in tt, L{s) \= (j) but L{si) Y= (f), PU2 is applied to remove relation 
element (si_i,Si); or 

2. PUS is applied to all states s in tt not satisfying (j) to change their assignments such 
that L'{s) \= 4> and diff {L{s) , L' [s)) is minimal. 

Proof: Case 1 is simply to cut path tt from the first state Sj that does not satisfy (j). Clearly, 
there is only one minimal way to cut tt: remove relation element (si_i,s) (i.e., apply PU2 

once). Case 2 is to minimally change the assignments for all states belonging to vr that do 
not satisfy 4>. Since the changes imposed by case 1 and case 2 are not compatible with each 
other, both will generate admissible update results. □ 

In Theorem 3, case 1 considers a special form of the path vr where the first i states 
starting from sq already satisfy formula (j). Under this condition, we can simply cut off the 
path to disconnect all other states not satisfying cj). Case 2 is straightforward: we minimally 
modify the assignments of all states belonging to tt that do not satisfy formula ^. 

Theorem 4 Let M = {S, R, L) be a Kripke model, M = (M, sq) ^ where sq e S 

and (j) is a propositional formula. Let M' = Update{M, EG0) be a model obtained from the 

update of M with EG(/) through the following way, then A4' is an admissible model: Select 
a path TT = [so, si, • • • , Sj, • • • , Sj, • • •] from M which contains minimal number of different 
states not satisfying (p^, and then 

1. if for all s' € n such that L{s') ^ (p, there exist Si,Sj G tt satisfying Si < s' < Sj and 
Vs < Si or Vs > Sj, L{s) \= (j), then PUl is applied to add a relation element (si,Sj), 
or PU4 and PUl are applied to add a state s* such that L'{s*) \= (f) and new relation 
elements {si,s*) and {s*,Sj); 

2. if 3si G vr such that Vs < Si, L{s) |= (j), and Bs^ G n" , where tt" = [sq, ■ ■ ■ , s^, • • •] such 
that Vs > Sfe and L{s) \= (j), then PUl is applied to connect Sj and s^; 

3. Note that although a path may be infinite, it will only contain finite number of different states. 
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3. if3si G TT (i > 1) such that for all s' < Si, L{s') \= (p, L{si) ^ (p, then, 

a. PUl is applied to connect Sj-i and s' to form a new transition (si_i,s'); 

b. if Si is the only successor of Si-i, then PU2 is applied to remove relation element 

4- if 3 s' € TT, such that L{s') ^ 0, then PUS is applied to change the assignments for 
all states s' such that L'(s') \= (f) and dijf{L(s),L'{s')) is minimal. 

Proof: In case 1, without loss of generality, we assume for the selected path tt, there 
exist states s' that do not satisfy (p, and all other states in vr satisfy (j). We also assume 
that such s' are in the middle of path tt. Therefore, there are two other states Si,Sj in 
TT such that Si < s' < Sj. That is, tt = [sq, ■ ■ ■ , Sj-i, Si, ■ ■ ■ , s' , ■ ■ ■ , sj, Sj+i, ■ ■ ■]. We first 
consider applying PUl. It is clear that by applying PUl to add a new relation clement 
{si,Sj), a new path is formed: vr' = [sq, • • • , Sj-i, Sj, Sj, Sj+i, • • •]. Note that each state 
in tt' is also in path vr and s' ^ vr'. Accordingly, we know that EG^ holds in the new 
model M' = {S,R\J {{si,Sj)},L) at state sq. Consider M = (M,so) and M' = {M',s'o). 
Clearly, Diff{M,M') = ({(sj, Sy)}, 0, 0, 0, 0), which implies that (M',so) must be a mini- 
mally changed model with respect to <m that satisfies EG0. 

Now we consider applying PU4 and PUl. In this case, we will have a new model 
M' = (5 U {s*},R U {(si,s*), {s*,Sj)},L') where L' is an extension of L on new state s* 
that satisfies 4>. We can see that tt' = [sq, • ■ " ) -s*, -Sj, • • ■] is a path in M' which shares 
all states with path tt except the state s* in tt' and those states between Sj+i and Sj_i 
including s' in tt. So we also have (M',so) \= EG0. Furthermore, we have Dijf{A4,Ai') = 
({(si, s*), (s*, Sj)}, 0, 0, {s*}, 0). Obviously, (M',so) is a minimally changed model with 
respect to <m that satisfies EG(p. 

It is worth mentioning that in case 1, the model obtained by only applying PUl is not 
comparable to the model obtained by applying PU4 and PUl, because no set inclusion 
relation holds for the changes on relation elements caused by these two different ways. 

In case 2, consider two different paths tt = [sq, ■ ■ • , Sj, • • •] and tt' = [sq, ■ ■ ■ , Sfe, • • •] such 
that all states before state Sj in path tt satisfy (p, and all states after state in path tt' 
satisfy (p, then PUl is applied to form a new transition {si,Sk). This transition therefore 
connects all states from sq to Si in path tt and all states after Sk in path tt'. Hence all states 
in the new path [sq, ■ ■ ■ , Si, s^ ■ ■ ■] satisfy (p. Thus, Ai' \= EG(p. Such change is also minimal, 
because after PUl is applied, Diff{M,M') = ({(sj, Sfc)}, 0, 0, 0, 0) is minimum and (M', sq) 
is a minimally changed model with respect to <m that satisfies EG(p. 

In case 3, there are two situations, (a) If PUl is applied to form a new transi- 
tion (sj_i, s'), then a new path containing [sq, ■ ■ ■ ,s', - ■ ■ , Si-i,s', • • • , s^-i, s', • • •] consists 
of Strongly Connected Components where all states satisfy (p, and 

Dijf{M,M') = ({(si_i, s')}, 0, 0, 0, 0) is minimum. Thus, (M',so) is a minimally changed 
model with respect to <m that satisfies EG^. 

(b) If PU2 is applied, then, a new path tt' containing [sq, • • • , s', • • • , Si-i] is derived 
where all states satisfy cp and Diff{M, M') = (0, {(sj_i, Sj)}, 0, 0, 0) is minimal. Obviously, 
(M', So) is a minimally changed model with respect to <m that satisfies EG^. 

In case 4, suppose that there are n states on the selected path tt that do not satisfy (p. 
After PUS is applied to all these states, Diff{M,M') = (0, 0, {si, Sg, ■ ■ ■ , s^}, 0, 0), where 
for each s' G {si,---,s^}, diff{L{s'),L'{s')) is minimal. Diff{M.,Ai') in this case is not 
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compatible with those in cases 1, 2 and 3. Thus, {M',so) is a minimally changed model 
with respect to <m that satisfies EG^. □ 

Theorem 4 characterizes four typical situations for the update with formula FiGcj) where 
is a propositional formula. Basically, this theorem says that in order to make formula 
EG0 true, we first select a path, then we can either make a new path based on this path so 
that all states in the new path satisfy (f) (i.e., case 1, case 2 and case 3(a)), or trim the path 
from the state where all previous states satisfy (/) (i.e., case 3(b)), if the previous state has 
only this state as its successor; or simply change the assignments for all states not satisfying 
^ in the path (i.e., case 4). Our proof shows that models obtained from these operations 
are admissible. 

It is possible to provide further semantic characterizations for updates with other special 
CTL formulas such as EF^, AX0, and E[(/>UV']. In fact, in our prototype implementation, 
such characterizations have been used to simplify the update process whenever certain 
conditions hold. 

We should also indicate that all characterization theorems presented in this section only 
provide sufficient conditions to compute admissible models. There are other admissible 
models which will not be captured by these theorems. 

5. Computational Properties 

In this section, we study computational properties for our CTL model update approach in 
some detail. We will first present a general complexity result, and then we identify a useful 
subclass of CTL model updates which can always be achieved in polynomial time. 

5.1 The General Complexity Result 

Theorem 5 Given two CTL Kripke models M = {S,R,L) and M' = {S',R',L'), where 
sq € S and s'q G S' , and a CTL formula cj), it is co-NP-complete to decide whether (M',Sq) 
is an admissible model of the update of (M, sq) to satisfy cf). The hardness holds even if 4> 
is of the form EXip where i/j is a propositional formula. 

Proof: Membership proof: Firstly, we know from Clarke et al. (1999) that checking 
whether {M',Sq) satisfies (p or not can be performed in time 0{\(p\ ■ {\S\ + |-R|)). In order 
to check whether (M', s'q) is an admissible update result, we need to check whether M' is 
a minimally updated model with respect to ordering <m- For this purpose, we consider 
the complement of the problem by checking whether M' is not a minimally updated model. 
Therefore, we do two things: (1) guess another updated model of M: M" = [S", R" , L") 
satisfying (j) for some s" G S"\ and, (2) test whether M" <m M'. Step (1) can be done 
in polynomial time. To check M" <m M', we first compute diff{S,S'), diff{S,S"), 
dif f{R, R') and diff{R,R"). All these can be computed in polynomial time. Then, ac- 
cording to these sets, we identify Dif fpui{M, M') and Dif fpui{M,M") (i = 1, • • • , 5) in 
terms of PUl to PUS. Again, these steps can also be completed in polynomial time. Finally, 
by checking Dif fpui{M, M") C Diffpui{M,M') (i = l,--.,5), and diff{L{s),L'{s)) C 
diff{L{s),L"{s)) for all s G Diffpm{M,M") {\i Dif fpm{M,M") = Dif fpu^{M,M')), 
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we can decide whether M" <m M' . Thus, both steps (1) and (2) can be achieved in 
polynomial time with a non-deterministic Turing machine. 

Hardness proof: It is well known that the validity problem for a propositional formula 
is co-NP-completc. Given a propositional formula (p, we construct a transformation from 
the problem of deciding (j)'s validity to a CTL model update in polynomial time. Let X be 
the set of all variables occurring in 4>, and a, b two new variables do not occur in X. We 
denote -iX = Ai^ex Then, we specify a CTL Kripke model based on the variable set 
X U {a, b}: M = {{sq, si}, {(sq, si), (si, si)}, L), where L{so) = (i.e., all variables arc as- 
signed false), L{si) = X (i.e., variables in X are assigned true, while a, b are assigned false). 
Now we define a new formula /j, = EX(((^ D a) A{^X Ab))y {^(pAa)). Clearly, formula ((^ D 
a) A(^XA6))V(-.^Aa) is satisfiable and si ^ ((0 D a) A(^XA6)) V(-.^Aa). So (M, sq) ^ /it. 
Consider the update Update{{M, sq), fi). We define M' = ({sq, si}, {(sq, si), (si, si)}, L'), 
where L'{sq) = L{so) and L'{si) = {a,b}. Next, we will show that is valid ifi^ {M',sq) is 
an admissible update result from Update{{M, sq), n). 

Case 1 : We show that if (f> is valid, then (M', sq) is an admissible update result from 

Update{{M, sq), /i). Since (p is valid, we have -^X \= (p. Thus, L'{si) \= {(p D a) A {^X D b)). 
This leads to (M', sq) \= ^. Also note that M' is obtained by applying PU3 to change L{si) 
to L'(si). diff{L(si),L'(si)) = X U {a, b}, which presents a minimal change from L(si) in 
order to satisfy (0 D a) A {-iX A h). 

Case 2 : Suppose that (p is not valid. Then, Xi C X exists such that Xi \= ^tp. We con- 
struct M" = ({so,si},{(so,si), (si,si)},L"), where L"{sq) = L{sq) and L"{si) = XiU{a}. 
It can be seen that L"{si) \= (-^(pAa), hence (M", sq) \= fi. Now we show that (M', sq) |= m 
implies M" <m M' . Suppose (M',so) |= A*- Clearly, both M' and M" are each ob- 
tained from M by applying PUS once to change the assignment on si. However, we have 
diff{L{si),L"{si)) = (X-Xi)U{a} C X U {a,b} = dif f{L{s), L'{si)). Thus, we conclude 
that (M',so) is not an admissible updated model. □ 

Theorem 5 implies that it is probably not feasible to develop a polynomial time algorithm 
to implement our CTL model update. Indeed, our algorithm described in the next section, 
generally runs in exponential time. 

5.2 A Tractable Subclass of CTL Model Updates 

In the light of the complexity result of Theorem 5, we expect to identify some useful cases 
of CTL model updates which can be performed efficiently. First, we have the following 
observation. 

Observation: Let M = {S, R, L) be a CTL Kripke model, (p a CTL formula and (M, sq) ^ 
(p where sq G S. If an admissible model Update{(M, so),(p) is obtained by only applying 
operations PUl and PU2 to M, then this result can be computed in polynomial time. 

Intuitively, if an admissible updated model can be obtained by only using PUl and PU2, 
then it implies that we only need to at most visit all states and relation elements in M, and 
each operation involving PUl or PU2 can be completed by just adding or removing relation 
elements, which obviously can be done in linear time. 
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This observation tells us that under certain conditions, operations PUl and PU2 may be 
efficiently applied to compute an admissible model. This is quite obvious because both PUS 
and PU4 are involved in finding models for some propositional formulas, while applying 
PUS usually needs to further find the minimal change on the assignment on the state, 
both of these operations may cost exponential time in the size of input updating formula 
0. However, the above observation does not tell us what kinds of CTL model updates can 
really be achieved in polynomial time. In the following, we will provide a sufficient condition 
for a class of CTL model updates which can always be solved in polynomial time. 

We first specify a subclass of CTL formulas AEClass: (1) formulas AX^, AG0, AF0, 
A[^iU^2], EX(/), EG(f), EF4> and E[^iU^2] are in AEClass, where 0, and 02 are propo- 
sitional formulas; (2) if tpi and ai'c in AEClass, then tpi A tp2 and -01 V -02 arc in 
AEClass; (3) no formulas other than those specified in (1) and (2) arc in AEClass. We 
also call formulas of the forms specified in (1) are atomic AEClass formulas. 

Note that AEClass is a class of CTL formulas without nested temporal operators. 
Although this is somewhat restricted, as we will show next, updates with this kind of CTL 
formulas may be much simpler than other cases. Now we define valid states and paths for 
AEClass formulas with respect to a given model. 

Definition 6 (Valid state and path for AEClassj Let M = {S,R,L) be a CTL Kripke 
model, ip £ AEClass, and (M, sq) Y= ip, where sq G S. We define ip 's valid state or valid 
path in (M, sq) as follows. 

1. Ifip is of the form AX0, then state s E S is a valid state of ip in (M, sq) if {sq, s) E R 

and L(s) \= 0; 

2. If ip is of the form (a) AG0, (b) AF0 or (c) A[0iU02], then a path vr = [sq, • • •] is 
a valid path of il) in {M,so) if^s £ tt, L{s) \= (case (a)); 3s € vr and s > sq, 
L{s) t= (case (b)); or 3s E. tt , s \= 02 and\/s' < s L(s') \= 0i (case (c)) respectively; 

3. If ip is of the form EX0, then state s & S is a valid state of in (M, sq) if L{s) \= 0; 

4. If tp is of the form (a) EG0, (b) EF0 or (c) E[0iU02], then a path vr = [sq, • • •] 
(s'o So) is a valid path of ^p in (M, sq) ^/ G tt, L{s) \= and L{so) \= (case 
(a)); 3s € TT and s > s'q, L(s) \= (case (b)); or L(so) \= 0i and 3s G tt, L{s) \= 02 
and Vs' < s L(s') \= 0i (case (c)) respectively. 

For an arbitrary ip G AEClass, we say that ip has a valid witness in (M, sq) if every atomic 
AEClass formula occurring in ip has a valid state or path in (M, sq). 

Intuitively, for formulas AX0, AG0, AF0 and A[0iU02], a valid state or path in a 
CTL model represents a local structure that partially satisfies the underlying formula. For 
formulas EX0, EG0, EF0 and E[0iU02], on the other hand, a valid state or path also 
represents a local structure which will satisfy the underlying formula if a relation element 
is added to connect this local structure and the initial state. 

Example 3 Consider the CTL Kripke model M in Figure 10 and formula EX(p A q). 
Clearly, (M, sq) ^ EX(p A q). Since p,q e L{ss), S3 is a valid state of EX{p A q). Then 
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Figure 10: A simple CTL model update. 



we can simply add one relation element (sq, S3) into M to form a new model M' so that 
(M', So) 1= EX(p A q). Obviously, (M', sq) is an admissible updated model. 
□ 

Prom the above example, we observe that if we update a CTL model with an AEClass 
formula and this formula has a valid witness in the model, then it is possible to compute an 
admissible model by only adding or removing relation elements (i.e. operations PUl and 
PU2). The following results confirm that a CTL model update with an AEClass formula 
may be achieved in polynomial time if the formula has a valid witness in the model. 

Theorem 6 Let M = {S, R, L) be a CTL Kripke model, G AEClass, and (M, sq) ^ 
tp. Deciding whether ij) has a valid witness in (M, sq) can he solved in polynomial time. 
Furthermore, if ip has a valid witness in {M,so), then all valid states and paths of atomic 
AEClass formulas occurring inip can be computed from (M, sq) *^ time O(|'0|-(|S'| + |i?|)^). 

Proof: To prove this theorem, we show that by using CTL model checking algorithm SAT 
(Huth &: Ryan, 2004), which takes a CTL Kripke model and an AEClass formula as inputs, 
we can generate all valid states and paths of atomic AEClass formulas occurring in ip (if 
any). We know that the complexity of algorithm SAT is 0{\ip\ ■ {\S\ + \R\)). We consider 
each case of atomic AEClass formulas. 

t/j is AX(/). We use SAT to check whether (M,so) \= EX(/). If (M, sq) ^ EX(/), then 
AE0 does not have a valid state in (M, sq). Otherwise, SAT will return a state s such that 
L{s) \= 4> and (so,s) G R. Then remove relation element (so,s) from M, and continue 
checking formula EX^ in the model. By the end of this process, we obtain all valid states 
in (M, So) for formula AXcf). Altogether, there are at most IS"! SAT calls. 

tp is AG^. We use SAT to check whether (M, sq) |= EG^. If (M, sq) ^ EG(p, then we 
can obtain a path in M from SAT tt = [so,si, • • •] such that Vs G tt, L(s) \= (j). Clearly, 
such TT is a valid path of AG<^. Now if there does not exist a state s* such that s* tt 
and (s, s*) G R for some s G tt, i.e. state s connects to state s* leading to a different path. 
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then the process stops, and tt is the only vahd path for AG(p. Otherwise, Then we remove 
one relation element {s,s') from tt (i.e. s,s' G tt) such that for all states s" G tt where 
s' < s", there is no relation element {s",s*) leading to a different path (i.e. s* ^ vr). In 
this way, we actually disable path vr to satisfy formula 'EG(p without affecting other paths. 
Then we continue checking formula EG^ in the newly obtained model. By the end of this 
process, we will obtain all paths that make EG^ true, and these paths are all valid paths 
for AG(j). Since for each generated valid path, we need to remove one relation element from 
this path before we generate the next valid path, there are at most \R\ such valid paths 
to be generated. So all together, there are at most \R\ SAT calls to find all valid paths of 
AG(/). 

In the cases of AF(j) and A[(/)U(/)2], all valid paths for these formulas can be generated 
in a similar way as described above for formula AG(f). The only different point is that for 
the case of A[(f)\J(p2], once a valid path tt has been generated, we need to find the last state 
s G TT before 02 becomes true, such that s connects to a state s* ^ tt leading to a different 
path, then we disable tt by removing relation clement (s, succ{s)) from tt. Then we continue 
the procedure to generate the next valid path for A[(f)U(f)2]. If no such s exists in tt, then 
the process stops. 

tp is EXcf). In this case, each valid state s can be found by checking whether L{s) \= (p. 
At most we need to visit l^l states for this checking. 

■0 is EG(/). Similarly, we can find a valid path by selecting a state s ^ S {s ^ sq), such 
that (M, s) \= EG0. At most, we need to visit l^l states, and have |5| SAT calls to check 
(M, s) [= EG(^. 

Finally, valid paths for EF(^ and E[0i U ^2] can be found in a similar way. □ 

Theorem 7 Let M = {S,R,L) be a CTL Kripke model, ^ € AEClass, and (M,so) ^ i^. 
An admissible model Update{{M, sq), ip) can be computed in polynomial time ifip has a valid 
witness in (M, sq). 

Proof: From the proof of Theorem 6, we can obtain all valid states and paths for all atomic 
AEClass formulas in tp in time 0{\ip\ ■ {\S\ + Now we consider each case of atomic 

AEClass formulas ip, while the cases of conjunctive and disjunctive AEClass formulas are 
easy to justify. 

Ip is AX(p. Let S* = {si, • • • , s^} be all valid states for AXi;^. Then we remove all relation 
elements (sq, s) where s ^ S*. In this way, we obtain a new model M' = {S, R', L), where 
R' = R — {{so, s) \ s ^ S*}. Obviously, we have (M', sq) \= AXcp. It is also easy to see that 
the change between M and M' is minimal in order to satisfy AX.(p. So (M', sq) is also an 
admissible model. 

Ip is AG(f). Let S* be the set of all states that are in some valid paths of AG(p. For each 
state s' E S such that L{s') ^ (p, we check whether s' is reachable from sq- If it is reachable, 
then we remove a relation element (si,S2) from M so that s' becomes unreachable from 
So and (si,S2) is not a relation element in a valid path of AG(p. Clearly, model {M',so) 
will then satisfy AG<^. Also, checking whether a state is reachable from sq can be done in 
polynomial time by computing a spanning tree of M rooted at sq (Pettie &; Ramachandran, 
2002). 
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is AF^. In this case, we need to cut all those paths starting from sq that are not 
valid paths for AF^ in (M, sq). For doing this, it is sufficient to disconnect all states that 
are reachable from sq but not occur in any of AF(/)'s valid paths in (M, sq). Let S* be the 
set of all these states, and R* be the set of all relation elements that are directly connected 
to these states, i.e. (si,S2) € R* iff si G S* or S2 € S* . Then we remove a minimal subset 
of R* from M such that removing them will disconnect all states in S* from sq. The set 
S* can be identified in polynomial time by computing a spanning tree of M rooted at sq, 
and the minimal subset of R* that disconnects all states S* from sq can be found in time 
So the entire process can be completed in polynomial time. 

The case of A[^iU(?!)2] can be handled in a similar way as described above for AF^. 

Now we consider that V" is EX0. In this case, we only need to select one valid state s for 
EX(/), and add relation element (so,s) into M. Then the model {M',sq) satisfies EX(/>. For 
the case of FiGd), we also select a valid path vr = [s, • • •] for EG0, and then add a relation 
element (sq, s), so we have (M', sq) \= EGcp. The other two cases of EFcp and E[0iU02] can 
be handled in a similar way. □ 

We should emphasize that although the above results characterize a useful subclass of 
CTL model update scenarios in which some admissible updated models can be computed 
through simple operations of adding or removing relation elements, it does not mean that 
all such admissible models represent intuitive modifications from a practical viewpoint. 
Sometimes, for the same update problem, using other operations such as PUS and PU4 are 
probably more preferred in order to generate a sensible system modification. This will be 
illustrated in Section 7. 

6. CTL Model Update Algorithm 

We have implemented a prototype for the CTL model update. In this implementation, the 
CTL model update algorithm is designed in line with the CTL model checking algorithm 
used in SAT (Huth & Ryan, 2004), where an updated formula is parsed according to its 
structure and recursive calls to appropriate functions are used. This recursive call usage 
allows the checked property 4> to range from nested modalities to atomic prepositional 
formulas. In this section, we will focus our discussions on the key ideas of handling CTL 
model update and provide high level pseudo code for major functions in the algorithm. 

6.1 Main Functions 

Handling prepositional formulas 

Since the satisfaction of a propositional formula does not involve any relation elements 
in a CTL Kripke model, we implement the update with a propositional formula directly 
through operation PUS with a minimal change on the labeling function of the truth assign- 
ment on the relevant state. This procedure is outlined as follows. 

* function Updatep^op((M, sq), * 

input: (M, sq) and (f), where M = (S, R, L) and sq € S; 

output: {M',s'q), where M' = {S',R',L'), s'q G S' and L'(s'o) \= 
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01 begin 

02 apply PUS to change labeling function L on state sq to form a new model M' = 
{S',R',L'y. 

03 S' = S; R' = R;ys e S that s / sq, L'{s) = L{s); 

04 L'{so) is defined such that L'{so) \= (p, and dif f{L'{so), L{so)) is minimal; 

05 return (M', So); 

06 end 



It is easy to observe that this procedure is implemented as the PMA belief update 
(Winslett, 1988). It is used in the lowest level in our CTL model update prototype. 

Handling modal formulas AF cj), EX<^ and E[(^i U (f>2] 

From the De Morgan rules and equivalences displayed in Section 2.1, we know that all 
CTL formulas with modal operators can be expressed in terms of these three typical CTL 
modal formulas. Hence it is sufficient to only give the update functions for these three types 
of formulas without considering other types of CTL modal formulas. 

* function Update^p((M, sq)) AF^) * 

input: (M,so) and AF^, where M = {S,R,L), sq S S, and (M, sq) ^ AF^; 
output: {M',s'q), where M' = {S',R',L'), s'q G S' and {M',s'q) \= AF./); 



01 begin 

02 if for all s e S, (M, s) ^ 

03 then select a state s e S that is reachable from sq, (M', s*) = CTLUpdate((M, s), 0)^; 

04 else select a path tt starting from sq where for all s G tt, (M, s) ^ (f), do (a) or (b): 

05 (a) select a state s G vr, (M', s') = CTLUpdate((M, s), c/)); 

06 (b) apply PU2 to disable path vr and form a new model: 

07 remove a relation element from tt that does not affect other paths; 

08 form a new model M' = {S', R', L'): 

09 S' = S , R' = R — {(sj,Sj+i)} (note (si,Sj+i) C tt), and 

10 Vs G S', L\s) = L{s)- 

11 if (M', s'q) 1= AF^, then return (M', s'^f- 

12 else UpdateAp((M', Sq), AF^); 

13 end 



Function Update^p handles the update of formula AFcj) as follows: if no state in the 
model satisfies formula (j), Update^p will first update the model on one state to satisfy </>; 
otherwise, for each path in the model that fails to satisfy AF^, Update^p either disables 
this path in some minimal way, or updates this path to make it valid for AF^. 

* function Updatep^((M, sq), EX^) * 

input: (M,so) and EX^, where M = {S,R,L), sq G S, and (M,so) V= EX(/); 
output: {M',s'o), where M' = {S',R',L'), s'q G S' and (M',s(,) \= EX(/); 

01 begin 

02 do one of (a), (b) and (c): 

4. Here CTLUpdate((M, s), 0) is the main update function that we will describe later. 

5. Here s'q is the corresponding state of sq in the updated model M', and the same for other functions 
described next. 
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03 (a) apply PUl to form a new model: 

04 select a state s G 5 such that (M, s) \= cf); 

05 add a relation element {sq, s) to form a new model M' = (S", R', L'): 

06 S' = S; R' = RU {(sq, s)}; Vs G S, L'{s) = L{s); 

07 (b) select a state s = s«cc(so), (M', s*) = CTLUpdate((M, s), (p); 

08 (c) apply PU4 and PUl to form a new model M' = (S", R', L'): 

09 S' = S\J {s*}; R' = RU {(sq, Vs G 5, L'(s) = L{s), 

10 ^'(s*) is defined such that (M', s*) |= (^; 

11 if (M', s'q) \= EXcf), then return (M', s(,); 

12 else UpdateEx((^'! So), EX0); 



13 end 

Function Updateg^ may be viewed as the implementation algorithm of the character- 
ization for EX^ in Theorem 2 in Section 4. However, it is worth to mentioning that this 
algorithm illustrates the difference in </> in all update functions from those in the update 
characterizations and demonstrates the wider application of the algorithm compared with 
their corresponding characterizations. The usage of recursive calls in the algorithm allows 
^ to be an arbitrary CTL formula rather than a propositional formula as demonstrated in 
the characterizations. This is the major difference between the characterizations and the 
algorithmic implementation. 

* function Updategu((M, sq); E[(/)iU02]) * 

input: (M,so) and E[(j)i\J(j)2], where M = {S,R,L), sq G S, and (M, sq) ^ E[0iU02]; 
output: {M',s'q), where M' = {S',R',L'), s'q G S' and {M',s'q) \= E[0iU(^2]; 
01 begin 



02 if (M, So) ^ (/>!, then (M', s'^) = CTLUpdate((M, so),(t)i); 

03 else do (a) or (b): 

04 (a) if (M, So) 1= (pi, and there is a path tt = [s*, • • •] (so / s*) 

05 such that (M, s*) \= E[^iU^2], 

06 then apply PUl to form a new model M' = (S", R', L'): 

07 S' = S; R' = RU {{sq, s*}; Vs G 5 L'{s) = L(s); 

08 (b) select a path tt = [sq, • • • , Sj, • • • , Sj, • • •]; 

09 if Vs so < s < Si, (M,s) \= 0i, {M,Sj) \= ^2, 

10 but Vs' Sj+i < s' < Sj_i, (M, s') ^ V (/)2 

11 then apply PUl to form a new model M' = (5', R', L'): 

12 S' = S; R' = RU {{si,Sj)}; Vs G 5, L'(s) = L(s); 

13 if Vs s < Sj, (M,s) 1= ^1, and Vs' s' > Sj+i, (M,s') ^ ^1 V (f>2, 

14 then apply PU4 to form a new model M' = (S", i?', L'): 

15 S' = SU {s*}; i?' = U {(s,_i, 8*), {s*,Si)}; 

16 Vs G S, L'(s) = L(s), L(s*) is defined such that (M', s*) |= ^2; 

17 if (M', s(,) 1= E[0iU02], then return (M', s'o); 

18 else UpdateEu((-^'>So)>E[<;/;)iU<;i!)2]); 



19 end 

To update (M, so) to satisfy formula E[(j)i\](j)2], function Updategu fi^'^t checks whether 
M satisfies (pi at the initial state sq. If it does not, then Updateg^ will update this 
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initial state so that the model satisfies (pi at its initial state. This will make the later 
update possible. Then under the condition that (M, sq) satisfies 4>i, Updateg^ considers 

two cases: if there is a valid path in M for formula E[(/)iU(/)2], then it simply links the 
initial state sq to this path and forms a new path that satisfies E[(^iU(/>2] (i.e. case (a)); or 
Updategu directly selects a path to make it satisfy formula E[0iU02] (i.e. case (b)). 

Handling logical connectives V and A 

Having the De Morgan rules and equivalences on CTL modal formulas, an update for 
formula ^(p can be handled quite easily. In fact we only need to consider a few primary forms 
of negative formulas in our algorithm implementation. Update on a disjunctive formula 
01 V 4>2, on the other hand, is simply implemented by calling CTLUpdate((M, sq); 0i) 
or CTLUpdate((M, So), ^2!'2) in a nondeterministic way. Hence here we only describe the 
function of updating for conjunctive formula (pi A (p2- 

* function Update ^{{M, so),(pi /\(p2) * 

input: (M, sq) and (pi A 02, where M = {S, R, L), sq € S, and (M, sq) ^ (pi A (p2\ 
output: (M',s'o), where M' = {S',R',L'), s'q G S' and (M',s'o) \= (pi A (p2\ 

01 begin 

02 if (pi A 02 is a propositional formula, then (M', s'q) = Updatep^(,p((M, sq), (pi A 02); 

03 else (M*, s*^) = CTLUpdate((M, sq), (pi); 

04 (M', s'q) = CTLUpdate((M*, s^), 02) with constraint 0i; 

05 return (M', s'q); 

06 end 

Function Update/,^ handles update for a conjunctive formula in an obvious way. Line 

04 indicates that when wc conduct the update with 02, we should view 0i as a constraint 
that the update has to obey. Without this condition, the result of updating 02 may violate 
the satisfaction of 0i that is achieved in the previous update. We will address this point in 
more details in next subsection. 

Finally, we describe the CTL model update algorithm as follows. 

* algorithm CTLUpdate((M, sq), 0) * 

input: (M, sq) and (6. where M = {S, R, L), sq € S, and (M, sq) ^ 0; 
output: {M',s'q), where M' = {S',R',L'), s'q e S' and {M',s'q) \= 0; 
01 begin 



02 


case 




03 


is 


a propositional formula: return Updatep^op((M, sq), 0); 


04 


is 


01 A 02: return Update/^ ((M, so), 01 A 02); 


05 


is 


01 V 02: return Updatev((M, so), 0i V 02); 


06 


is 


-101 : return Update., ((M, sq), -'0i); 


07 


is 


AX0i: return CTLUpdate((M, sq), ^EX^0i); 


08 


is 


EX0i: return Updateg^((M, sq), EX0i); 


09 


is 


A[0iU02]: return CTLUpdatc((M, sq), ^(E[^02U(^0i A 02)] V EG^02)) 


10 


is 


E[0iU02]: return UpdateEu((^, ^o), E[0iU02]); 


11 


is 


EF0i; return CTLUpdate((M, sq), E[TU0i]); 


12 


is 


EG0i: return CTLUpdate((M, sq), -.AF^0i); 
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13 (j) is AF(pi: return Update^p((M, sq), AF^i); 

14 ^ is AG^i: return CTLUpdate((M, so), -^E[T\J^(j)i]y, 

15 end case; 

16 end 

Theorem 8 Given a CTL Kripke model M = (S, R, L) and a satisfiable CTL formAila 
(p, where (M, sq) ^ (j) and sq £ S. Algorithm CTLUpdate((M, sq), </>) terminates and 
generates an admissible model to satisfy (f). In the worst case, CTLUpdate runs in time 

C'(2H-|0|2.(|5| + |i?|)2). 

Proof: Since we liave assumed that is satisfiable, from above descriptions, it is not 
difficult to see that CTLUpdate will only call these functions finite times, and each call 
to these functions will (recursively) generate a result that satisfies the underlying updated 
formula, and then return to the main algorithm CTLUpdate. So CTLUpdate((M, sq), 0) 
will terminate, and the output model (M',Sq) satisfies (p. 

We can show that the output model (M', Sq) is admissible by induction on the structure 
of (f>. The proof is quite tedious - it involves detailed examinations on (f) running through each 
update function. Here it is sufficient to observe that for each update function, each time the 
input model is updated in a minimal way, e.g., it adds one state or relation element, removes 
a minimal set of relation elements to disconnect a state, or updates a state minimally. With 
iterated updates on sub-formulas of (f), minimal changes on the original input model will be 
retained. 

Now we consider the complexity of CTLUpdate. We first analyze these functions' com- 
plexity without considering their embedded recursions. Function Update^j-op is to update 
a state by a propositional formula, which has the worst time complexity 0(2^'^^). Func- 
tion Update^p contains the following major computations: (1) finding a reachable state 
in (M, So); (2) selecting a path in which each state does not satisfy (p; and (3) checking 
(M', Sq) \= AFcp. Task (1) can be achieved by computing a spanning tree of M rooted 
at So, which can be done in time 0{\R\ ■ log\S\) (Pettie & Ramachandran, 2002). Task 
(2) can be reduced to find a valid path for formula AG(j). From Theorem 6, this can be 
done in time • (l^l + \R\)'^). Task (3) has the same complexity of task (2). So, 

overall, function Update^p has the complexity • {\S\ + \R\)'^)- Similarly, we can 

show that functions Updateg^j^ and Updatep^ ^^^ve complexity 0{\<p\ ■ {\S\ + |i?|)^) and 
OQcpl ■ {\S\ + \R\)'^ + 2^'^^) respectively. Other functions' complexity are obvious either from 
their implementations based on the De Morgan rules and equivalences, or from the calls 
to other functions (i.e. Update.,) or the main algorithm (i.e. Update^^ and Update^). At 
most algorithm CTLUpdate has |^| calls to other functions. Therefore, in the worst time, 
CTLUpdate runs in time 0{2\'f>\ ■ • {\S\ + \R\)^). □ 

6.2 Discussions 

It is worth mentioning that except functions Update^^^p, Update^ and Update/^, all other 
functions used in algorithm CTLUpdate are involved in some nondeterministic choices. 
This implies that algorithm CTLUpdate is not syntax independent. In other words, given 
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a CTL model and two logical equivalent formulas, updating the model with one formula 
may generate different admissible models. 

In the description of function Update/^, we have briefly mentioned the issue of constraints 
in a CTL model update. In general, when we perform a CTL model update, we usually have 
to protect some properties that should not be violated by this update procedure. These 
properties are usually called domain constraints. It is not difficult to modify algorithm 
CTLUpdate to cope with this requirement. In particular, suppose C is the set of domain 
constraints for a system specification AI = {S,R,L), and we need to update (M, sq) with 
formula (p, where sq G S, and Cu{(p} is satisfiable. Then in each function of CTLUpdate, we 
simply add a model checking condition on the candidate model M' = {S', R', L'): (M', s'q) \= 
C (s'o G S'). The result {M',Sq) is returned from the function if it satisfies C. Otherwise, 
the function will look for another candidate model. Since model checking (M', Sq) \= C can 
be done in time 0{\C\ • {\S'\ + the modified algorithm does not significantly increase 

the overall complexity. In our implemented system prototype, we have integrated a generic 
constraint checking component as an option to be added into our update functions so that 
domain constraints may be taken into account when necessary. 

In addition to the implementation of the algorithm CTLUpdate, we have implemented 
separate update functions for typical CTL formulas such as EX^, EG^, AF^, EF^, 

etc., where is a propositional formula, based on our characterizations provided in Section 
4.2. These functions simplify an update procedure when the input formula docs not contain 
nested CTL temporal operators or can be converted into such simplified formula. 

7. Two Case Studies 

In this section, we show two case studies of applications of our CTL model update approach 
for system modifications. The two cases have been implemented in the CTL model updater 
prototype, which is a simplified compiler. In this prototype, the input is a complete CTL 
Kripke model and a CTL formula, and the output is an updated CTL Kripke model which 
satisfies the input formula. 

We should indicate that our prototype contains three major components: parsing, model 
checking and model update functions. The prototype first parses the input formula and 
breaks it down into its atomic subformulas. Then the model checking function checks 
whether the input formula is satisfied in the underlying model. If the formula is not satisfied 
in the model, our model checking function will generate all relevant states that violate the 
input formula. Consequently, this information will directly be used for the model update 
function to update the model. 

7.1 The Microwave Oven Example 

We consider the well-known microwave oven scenario presented by Clarke et al. (1999), 
that has been used to illustrate the CTL model checking algorithm on the model describing 
the behaviour of a microwave oven. The Kripke model as shown in Figure 11 can be viewed 
as a hardware design of a microwave oven. In this Kripke model, each state is labeled with 
both the propositional atoms that are true in the state and the negations of propositional 
atoms that are false in the state. The labels on the arcs present the actions that cause 
state transitions in the Kripke model. Note that actions are not part of this Kripke model. 
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The initial state is state 1. Then the given Kripke model M describes the behaviour of a 
microwave oven. 




Figure 11: CTL Kripke model M of a microwave oven. 



It is observed that this model does not satisfy a desired property (f) = -EF{Start A 
EG-i iJeat): "once the microwave oven is started, the stuff inside will be eventually heated" 
(Clarke et al., 1999)^ That is, (M,si) ^ (f). What we would like to do is to apply our 
CTL model update prototype to modify this Kripke model to satisfy property ^. As we 
mentioned earlier, since our prototype combines formula parsing, model checking and model 
update together, the update procedure for this case study does not exactly follow the generic 
CTL model update algorithm illustrated in Section 6. 




Figure 12: Updated microwave oven model using PU2. 



6. This formula is equivalent to AG{Start AFheat). 
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First, we parse into AG{^{StartAEG^H eat)) to remove the front ->. The translation is 
performed by function Update-,, which is called in CTLUpdate((M, si), </>). Then we check 
whether each state satisfies ^{StartAEG^H eat) . First, we select 'EG^Heat to be checked 
using the model checking function for EG. In this model checking, each path that has every 
state with -^Heat is identified. Here we find paths [si, ^2,55, S3, si, • • •] and [si, S3, si, • • •] 
which are strongly connected component loops (Clarke et al., 1999) containing all states 
with -^Heat. Thus the model satisfies EG^Heat. Consequently, we identify all states with 
Start: they are {s2, S5, sg, S7}. Now we select those states with both Start and -^Heat: they 
are {s2,S5}. Since the formula AG{-^{Startf\¥jG^Heat)) requires that the model should 
not have any states with both Start and -iHeat, we should perform model update related 
to states S2 and S5. Now, using Theorem 3 in Section 4.2, the proper update is performed. 
Eventually, we obtain two possible minimal updates: (1) applying PU2 to remove relation 
element (si,S2); or (2) applying PUS to change the truth assignments on S2 and S5. After 
the update, the model satisfies formula 4> and it has a minimal change from the original 
model M. For instance, by choosing the update (1) above, we obtain a new Kripke model 
(as shown in Figure 12), which simply states that no state transition from si to S2 is allowed, 
whereas choosing update (2), we obtain a new Kripke model (as shown in Figure 13), which 
says that allowing transition from state si to state S2 will cause an error that the microwave 
oven could not start in S2, and this error message will carry on to its next state S5. 




Figure 13: Updated microwave oven model using PU3. 



7.2 Updating the Andrew File System 1 Protocol 

The Andrew File System 1 (AFSl) (Wing Sz Vaziri-Farahani, 1995) is a cache coherence 
protocol for a distributed file system. AFSl applies a validation-based technique to the 
client-server protocol, as described by Wing and Vaziri-Farahani (1995). In this protocol, 
a client has two initial states: either it has no files or it has one or more files but no beliefs 
about their validity. If the protocol starts with the client having suspect files, then the client 
may request a file validation from the server. If the file is invalid, then the client requests 
a new copy and the run terminates. If the file is valid, the protocol simply terminates. 



145 



Zhang & Ding 



AFSl is abstracted as a model with one client, one server and one file. The state transition 
diagrams with single client and server modules are presented in Figure 14. The nodes and 
arcs are labelled with the value for the state variable, belief, and, the name of the received 
message that causes the state transition, respectively. A protocol run begins at an initial 
state (one of the leftmost nodes) and ends at a final state (one of the rightmost nodes) . 



Client 




Figure 14: State transition diagrams for AFSl. 

The client's belief about a file has 4 possible values {nof He, valid, invalid, suspect}, 
where nofile means that the client cache is empty; valid, if the client believes its cached 
file is valid; invalid if it believes its caches file is not valid; and suspect, if it has no belief 
about the validity of the file (it could be valid or invalid). The server's belief about the file 
cached by the client ranges over {valid, invalid, none}, where valid, if the server believes 
that the file cached at the client is valid; invalid, if the server believes it is not valid; none, 
if the server has no belief about the existence of the file in the client's cache or its validity. 

The set of messages that the client may send to the server is {fetch, validate}. The 
message fetch stands for a request for a file, and validate message is used by the client to 
determine the validity of the file in its cache. The set of messages that the server may send 
to the client is {val,inval}. The server sends the val (inval) message to indicate to the 
client that its cached file is valid (invalid), valid- file is used when the client has a suspect 
file in its cache and requests a validation from the server. If an update by some other client 
has occurred then the server reflects this fact by nondeterministically setting the value of 
valid- file to 0; otherwise, 1 (the file cached at the client is still valid). The specification 
property for AFSl is: 

AG {{Server. belief = valid) {Client. belief = valid)). (1) 

In this file system design, the client belief leads the server belief. This specification 
property has been deliberately chosen to fail with AFSl (Wing & Vaziri-Farahani, 1995). 
Thus, after model updating, we do not need to pay much attention to the rationality of 
the updated models. Our model updater will update the AFSl model to derive admissible 
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models which satisfy the specification property (1). In this case study, we focus on the 
update procedure according to the functionaUty of the prototype. 

Extracting the Kripke model of AFSl from NuSMV 

It should be noted that, in our CTL model update algorithm described in Section 6, the 
complete Kripke model describing system behaviours is one of two input parameters (i.e., 
(M, So) and (p), while the original AFSl model checking process demonstrated in (Wing k, 
Vaziri-Farahani, 1995) does not contain such a Kripke model. In fact, it only provides SMV 
model definitions (e.g., AFSl.smv) as input to the SMV model checker. This requires initial 
extraction of a complete AFSl Kripke model before performing any update of it. For this 
purpose, NuSMV (Cimatti et al., 1999) has been used to derive the Kripke model for the 
loaded model (AFSl). The output Kripke model is shown in Figure 15. This method can 
also be used for extracting any other Kripke model. 



#1: CUent.out={0,fetch,vali<late} . 
#2: Client.belief = { vali<i,invalid,suspect,nofile ) 
#3:Server.out={0,val,inval) ; 
#4: Server.belief={none,valid,mvalid} . 
#5: Server.valid-file={true,false) . 





shows order of variables in a state; 
Initials of values of variables are shown in states 
Initial states: {11, 12, 13, 14) 
False states: { 19, 20, 23, 24, 7, 8) 



Figure 15: CTL Kripke model of AFSl. 



In the AFSl Kripke model (see Figure 15), there are 26 reachable states (out of total 216 
states) with 52 transitions between them. The model contains 4 initial states {11, 12, 13, 14} 
and 5 variables with each individual variable having 2, 3 or 4 possible values. These vari- 
ables are: "Client.out" , (range {0, fetch, validate}); "Client.belief" (range {valid, invalid, 
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suspect, nofile}); "Server.out" (range {0, val, inval}); "Server. belief" (range {none, valid, 
invalid}); and "Server.valid-file" (range {true, false}). 

Update procedure 

Model checking: In our CTL model update prototype, we first check whether formula (1) is 

satisfied by the AFSl model. That is, wc need to check whether each reachable state contains 
either Server.belief = ^valid or Client.belief = valid. Our model updater identifies that 
the set of reachable states that do not satisfy these conditions is {19,20,23,24,7,8}. We 
call these states false states. 

Model update: Figure 15 reveals that each false state in AFSl is on a different path. From 
Theorem 3 in Section 4 and Update^Q in Section 6, we know that to update the model 
to satisfy the property, operations PU2 and PU3 may be applied to these false states in 
certain combinations. As a result, one admissible model is depicted in Figure 16. This 
model results from the update where each false state on each false path is updated using 
PU2. We observe that after the update, states 25, 26, 15 and 16 are no longer reachable 
from initial states 11 and 12, and states 9 and 10 become unreachable from initial states 13 
and 14. 



#1: Client.out={0,fetch,validate} . 

#2:Client.belief={ valid,invalid,suspect,nofile} . 

#3: Server.out={0,val,mvalj ; 

#4: Server.belief={none,valid,invalid) . 

#5: Server. valid-file={true,false} . 



13 
61 



0,n, 




19\ 



f,n, 
v,v, 



25 I 0,1 



20 



0,i, 



22/ 



23 



0,i, 



f,i 
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I v,v, ) 
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#3,#4] shows order of variables in a state; 

Initials of values of variables are shown in states. 



15 



Figure 16: One of the admissible models from AFSl model update. 
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We should know that Figure 16 only presents one possible updated model after the up- 
date on AFSl model. In fact there are too many possible admissible models. For instance, 
instead of only using PU2 operation, we could also use both PU2 and PUS in different com- 
binations to produce many other admissible models. The total number of such admissible 
models is 64. 

8. Optimizing Update Results 

From Section 7.2, we observe that very often, our CTL model update approach may derive 
many more possible admissible models than we really need. In practice, we would expect 
that the solution of a CTL model update provides more concrete information to correct 
the underlying system specification. This motivates us to improve our CTL model update 
approach so that we can eliminate unnecessary admissible models and narrow down the 
update results. 

Consider AFSl update case again. While the model described in Figure 16 satisfies the 
required property and is admissible, it, however, does not retain a similar structure to the 
original AFSl model. This implies that after the update, there is a significant change to 
the system behaviour. So this admissible model may not represent a desirable correction on 
the original system. One way to reduce this possibility is to impose the notion of maximal 
reachable states into the minimal change principle, so that each possible updated model will 
also retain as many reachable states as possible from the original model. 

Given a Kripke model M = {S,R,L) and sq G S, and, let M. = {M,so), we say that 
s' is a reachable state of M, if there is a path in M = (S, R, L) of the form vr = [sq, si,- ■ ■] 
where s' G vr. RS{A4) = RS{M, sq) is used to denote the set of all reachable states of 
Ai. Now, we propose a refined CTL model update principle which can significantly reduce 
the number of updated models. Let M = {S, R, L) be a CTL Kripke model and sq G S. 
Suppose M' = {S',R',L') and (M', Sq) is an updated model obtained from the update of 
(M, So) to satisfy some CTL formula. We specify that 

RS{M) n~ RS{M') = {s\se RS{M) n RS{M') and L{s) = L'{s)}. 

States in RS{M) n~ RS{M') are the common reachable states in M. and M' , called un- 
changed reachable states. Note that a state having the same name may be reachable in two 
different models but with different truth assignments defined by L and V respectively. In 
this case, this state is not a common reachable state for M and M' . 

Definition 7 (Minimal change with maximal reachable states ) Given a CTL Kripke 
model M = {S,R,L), M = (M, sq); where sq G S, and a CTL formula (f), a model 
Update{Ai,(p) is called committed with respect to the update of M to satisfy (j), if the 
following conditions hold: (1) Update{A4, (p) = Ai' = (M',Sq) is admissible; and, (2) 
there is no other model M" = {M", Sq) such that M" \= (p and RS{M) n~ RS{M') C 
RS{M)n'- RS{M"). 

Condition (2) in Definition 7 ensures that a maximal set of unchanged reachable states 
is retained in the updated model. As we will prove next, the amended CTL model update 
approach based on Definition 7 does not significantly increase the overall computational 
cost. 
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Lemma 1 Given a CTL Kripke model M = [S,R,L), M. = {M,sq), where sq € S, a CTL 
formula (f), and two models M' = {M',s'o) and M" = (M", Sq) from the update of (M, sq) 
to satisfy (j), checking whether RS{M) fl"" RS{M.') C RS{M.) RS{M") can he achieved 
in polynomial time. 

Proof: For a given M = {S,R,L), we can view M as a directed graph G{M) = {S,R), 
where S is the set of vertices and R represents all edges in the graph. Obviously, the prob- 
lem of finding all reachable states from sq in M is the same as that of finding all reachable 
vertices from vertex sq in graph G{M), which can be obtained by computing a spanning tree 
with root So in G{M) . It is well known that a spanning tree can be computed in polynomial 
time (Pettie & Ramachandran, 2002). Therefore, all sets RS{M), RS{M'), and RS{M") 
can be obtained in polynomial time. Also, RS{M) n~ RS{M') C RS{M) n~ RS{M") can 
be checked in polynomial time. □ 

Theorem 9 Given two CTL Kripke models M = {S,R,L) and M' = {S',R',L'), where 
So G S and Sq G S' , and a CTL formula (p, it is co-NP-complete to decide whether {M', s'q) 
is a committed result of the update of (M, sq) to satisfy (j). 

Proof: Since every committed result is also an admissible one, from Theorem 5, the hard- 
ness holds. For the membership, we need to check (1) whether (M', Sg) is admissible; and, 
(2) an updated model M" does not exist such that (M", s'^) \= and RS{M) n~ RS{M') C 
RS{M) rr RS{M"). From Theorem 5, checking whether (M', Sg) is in co-NP. For (2), 
we consider its complement: a updated model M" exits such that (M",Sq) |= and 
RS{M) n~ RS{M') C RS{M) fT RS{M"). From Lemma 1, we can conclude that the 
problem is in NP. Consequently, the original problem of checking (2) is in co-NP. □ 

As in Section 4, for many commonly used CTL formulas, we can also provide useful 
semantic characterizations to simplify the process of computing a committed model in an 
update. Here, we present one such result for formula AF^, where ^ is a propositional 
formula. Given a CTL model M = {S,R,L) such that (M, sq) ^ (sq € S). Wc recah 
that TT = [so, • • •] in (M, sq) is a valid path of A¥(j) if there exists some state s G tt and s > sq 
such that L{s) \= cj); otherwise, tt is called a false path of AF(p. 

Theorem 10 Let M = {S, R, L) be a Kripke model, and M = (M, sq) ^ AF(/), where 
Sq G S and 4> is a propositional formula. Let M.' = Update{M,AF(l)) be a model obtained 
by the following 1 or 2, then M' is a committed model. For each false path tt = [sq, si, • • •].• 

1. if there is no other false path n' sharing any common state with tt, then PUS is applied 
to any state s E n (s > sq) to change s's truth assignment such that L'{s) \= and 
Diff{L{s),L'{s)) is minimal; otherwise, this operation is only applied to a shared 
state Sj (j > 0) in maximum number of false paths; 

2. PU2 is applied to remove relation element (so,si), if si also occurs in another valid 
path tt' , where tt' = [so,s'i, ■ ■ ■ , s^, si, s^^^^, . . .] and there exists some < i < k) 
such that L{s'j) \= (j). 
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Proof: We first prove Result 1. Consider a false path n = [so, ■ ■ ■ , Si, Sj+i, • • •]. Since each 
state in tt does not satisfy 0, we need to (minimally) change one state s's truth assignment 
along this path so that L'{s) satisfies (j) (i.e., apply PUS once). If there is no other false 
path that shares any states with vr, then we can apply PUS on any state in path tt. In this 
case, only one reachable state in the original model with respect to this path is changed to 
satisfy 0. Thus, the updated model retains a maximal set of unchanged states. 

Suppose that there are other false paths sharing a common state with tt. Without loss 
of generality, let vr' = [sq, ■ ■ ■ , Sj, s'-^^, ■ ■ ■] be a false path sharing a common state .Sj 
with TT. Then applying PUS to any state rather than Sj in tt will not necessarily retain a 
maximal set of unchanged reachable states, because a further change on any state such as 
Si could be made in path tt' in order to make tt' valid. Since Sj is a sharing state between 
two paths TT and vr', it implies that updating two states with PUS does not retain a maximal 
set of unchanged reachable states comparing to the change only on one state Sj that makes 
both TT and tt' valid. 

Now we consider the general case. In order to retain a maximal set of unchanged 
reachable states in the original model, we should consider all states in vr that are also in 
other false paths. In this case, we only need to apply PUS operation to one state sj in tt 
that is shared by a maximal number of false paths. In this way, changing sj to satisfy 
will also minimally change other false paths to be valid at the same time. Consequently, we 
retain a maximal set of unchanged reachable states in the original model. 

Now we prove Result 2. Let vr = [sO) •si, >S2, • • •] be a false path. According to the 
condition, there is a valid path vr' of the form vr' = [sq, s'l, • • • , s^, si, • • •], where for 
some s'l e it' {1 < i < k), s'^ \= 4>. Note that the third path, formed from tt and tt', 
tt" = [sq, s'l, - ■ ■ , s'f^, si, S2, ■ ■ ■] is also valid. Applying PU2 on relation element (sq, si) will 
simply eliminate the false path vr from the model. Under the condition, it is easy to see that 
this operation does not actually affect the state reachability in the original model because 
the valid path tt" will connect si and all states in path tt are still reachable from sq but 
through path tt". This is described in Figure 17 as follows. □ 

As an optimization of function Update^p described in Section 6.1, Theorem 10 proposes 
an efficient way to update a CTL model to satisfy formula AF^ to guarantee that the update 
model retains a maximal set of reachable states from the original model. Compared with 
(a) in function Update^p, which updates any state in a path, case 1 in Theorem 10 only 
updates a state shared by the maximum number of false paths to minimize changes in an 
update to protect unchanged reachable states. Compared with (b) in function UpdateAF, 
which could disconnect a false path to make the disconnected part unreachable, case 2 in 
Theorem 10 only disconnects the false path accompanied by an alternate path to ensure 
the disconnected path still reachable via the alternate path. This theorem illustrates the 
principle of optimization for characterizations for other CTL formulas. 

In general, committed models can be computed by revising our previous CTL model 
update algorithms with particular emphasis to identifying maximal reachable states. As an 
example, using the improved approach, we can obtain a committed model of AFSl model 
update (as illustrated in Figure 18), and rules out the model presented in Figure 16. It 
can be shown that using the improved approach to the AFSl model update, the number of 
total possible updated models is reduced from 64 to 36. 
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#1: Client.out={0,fetch, validate} . 

#2: Client.belief={ valid,invalid,suspect,nofile} . 
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Figure 18: One of the committed models of AFSl. 
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9. Concluding Remarks 

In this paper, we present a formal approach to the update of CTL models. By specifying 
primitive operations on CTL Kripke models, we have defined the minimal change criteria for 
CTL model update. The semantic and computational properties of our approach are also 
investigated in some detail. Based on this formalization, wc have developed a CTL model 
update algorithm and implemented a system prototype to perform CTL model update. 
Two case studies are used to demonstrate important applications of this work. 

There are a number of issues that merit further investigations. Our current research 
focuses on the following two tasks: 

- Partial CTL model update: In our current approach, a model update is performed on a 
complete Kripke model. In practice, this may not be feasible if the system is complex 
with a large number of states and transition relations. One possible method to handle 
this problem is to employ the model checker to extract partial useful information and 
use it as the model update input. This could be a counterexample or a partial Kripke 
model containing components that should be repaired (Buccafurri, Eiter, Gottlob, & 
Leone, 2001; Clarke, Jha, Lu, &; Veith, 2002; Grocc & Visser, 2003; Rustan, Leino, 
Millstein, & Saxe, 2005). In this way, the update can be directly performed on this 
counterexample or partial model to generate possible corrections. It is possible to 
develop a unified prototype integrating model checking (e.g., SMV) and model update. 

- Combining maximal structure similarity with minimal change: As demonstrated in 
Section 8, the principle of minimal change with maximal reachable states may sig- 
nificantly reduce the number of updated models. However, it is evident that this 
maximal reachable states principle is applied after the minimal change (see Definition 
7). Wc may improve this principle by defining a unified analogue that integrates both 
minimal change and maximal structural similarity at the same level. This may further 
restrict the number of final updated models. This unified principle may be defined 
based on the notion of bisimulation of Kripke models (Clarke, Grumberg, Jha, Liu, 
& Veith, 2003). For instance, if two states are preserved in an update and there is a 
path between these two states in the original model, then the new definition should 
preserve this path in the updated model as well, so that the updated model retains 
maximal structural similarity with respect to the original. Consider the committed 
model described in Figure 18: since there is a path from state 21 to state 26 in the 
original model (i.e.. Figure 15), wc would require retention of the path between 21 
and 26 in the updated model. Accordingly, the model displayed in Figure 18 should 
be ruled out as a final updated model. 
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